The Cybersecurity Bill was released for public consultation by the Ministry of Communications and Information as well as the Cyber Security Agency of Singapore (“CSA”).
This article was first published by Asia Law Network.
What is the Cybersecurity Bill?
It is a draft of the proposed Cybersecurity Act which is expected to be passed by Parliament by the end of this year or the start of 2018.
Prime Minister Lee Hsien Loong had described that a safe cybersecurity ecosystem is a critical priority for Singapore’s Smart Nation aspirations. Towards that vision, the Singapore Government established the CSA in 2015 and published a national Cybersecurity Strategy in 2016. A key part of that strategy is the introduction of a comprehensive new law to strengthen the country’s existing legislative framework and empower the CSA to address current cybersecurity challenges.
The new law aims to:
- Identify and regulate computer systems which are critical information infrastructures (“CII”);
- Empower the CSA to investigate, manage and respond to cybersecurity threats and incidents;
- Facilitate the sharing of cybersecurity information; and
- Provide a licensing regime for selected cybersecurity service providers.
Who must take note of the new Cybersecurity Bill
Individuals and businesses who own or manage computer systems should take note of this Cybersecurity Bill. This new law may affect almost anyone who carries out commercial or social activities on a non-negligible scale.
A large part of the Cybersecurity Bill is focused on protecting computer systems which are considered critical information infrastructures or CII. Nevertheless, there are other provisions under the Cybersecurity Bill which may affect persons who own or manage computer systems that are not CII, especially when these computer systems are affected by or involved in significant cybersecurity incidents.
Businesses that provide technology services, including SaaS or PaaS, or cybersecurity services, such as endpoint security or threat detection services, should also be aware of the obligations under this Cybersecurity Bill.
Are my computer systems considered critical information infrastructures?
The CSA’s chief, formally known as the Commissioner for Cybersecurity, can issue a written notice to designate your computer system as a CII. The Commissioner has the power to request for technical or other information on your computer system before making a CII designation.
A computer system will be designated as a CII if it is necessary for the continuous delivery of essential services in Singapore. These sectors have been identified as essential: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
The loss or compromise of CII in these sectors will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order in Singapore.
It is not clear if, in the absence of a designation from the Commissioner, an organisation has a responsibility to determine for itself whether it owns any CII. This issue will hopefully be resolved during the public consultation.
What do I have to do if my (or my company’s) computer system is designated a CII?
Under the Cybersecurity Bill, an owner of a CII is obliged to:
- Within 14 days of receiving a designation notice, appoint a contact person to liaise with the CSA on the CII;
- Notify the Commissioner of any cybersecurity incident which had affected the CII or is affecting any computer system under the owner’s control that is interconnected with the CII. There is a duty to submit a report within a prescribed time in the event of a significant cybersecurity incident.
- Notify the Commissioner of any material changes to the CII and any changes of ownership of the CII;
- Provide technical information of the CII, if requested. This includes information on the design, configuration, security, operation of the CII and any computer system that is interconnected with the CII;
- Comply with codes of practice and standards of performance that will be published by the CSA;
- Conduct risk assessments of the CII and regular audits on the CII’s compliance with the Bill and the published codes of practice and standards of performance; and
- Participate in national cybersecurity exercises organised by the CSA.
What are my obligations if my (or my company’s) computer system is not a CII?
The CSA has broad powers to investigate into cybersecurity threats and prevent cybersecurity incidents and may require any persons, not just owners of CII, to comply with the Commissioner’s directions during an investigation of a cybersecurity threat or incident.
The Commissioner has the power to:
- Take statements from any persons concerning a cybersecurity incident or threat; and
- Require any persons to produce physical or electronic records which are relevant to the investigation;
If a cybersecurity threat or incident is severe and poses a real risk of significant harm or disruption, the Commissioner can:
- Direct any person to carry out remedial measures in relation to a computer system to minimise vulnerabilities and take steps to assist with the investigation, including carrying out scans and monitoring the computer system;
- Access and inspect the operations and data of computer systems impacted by the cybersecurity incident;
- Take copies of any electronic record or program contained in computer systems impacted by a cybersecurity incident; and
- With the consent of the owner, take possession of the computer system for further examination or analysis.
What does the Commissioner do with the requested technical information?
The CSA may only use or disclose the information that it receives for the purposes of the proposed Cybersecurity Act or if they are lawfully required to so by the Court or by law. The CSA will act to preserve the secrecy of all matters and information that they might receive in the performance of their functions or duties under the proposed Cybersecurity Act.
Based on the current Cybersecurity Bill, it appears that the CSA will not share proprietary and confidential information belonging to a person or company with competitors or the public at large. Though it is possible that the CSA will share information on vulnerabilities or threats gathered from received technical information or their investigations with other owners of CII.
It is assuring to note that the Bill requires the CSA to balance the need to protect legitimate business interests and the private affairs of the person or company who provided the information with the extent to which disclosure is necessary to carry out prosecutions, investigations or any other actions to give effect to the Cybersecurity Act.
What if I am a cybersecurity service provider?
Individuals and/or businesses that provide the following services must obtain a license from the CSA to provide and supply these services.
- Non-investigative cybersecurity services, e.g. designing and implementing cybersecurity solutions, monitoring for cybersecurity threats and incidents, and advising on cybersecurity solutions and practices; or
- Investigative cybersecurity services, e.g. white-hat testing of cybersecurity defences and forensic analysis and response to a cybersecurity threat or incident;
A person does not need such a license if the person sells self-install computer programs intended for the protection of the cybersecurity of a computer, e.g. off-the-shelf software providers, or provides services for the management of the performance and/or availability of a computer system, e.g. cloud services and PaaS providers.
Steps you should take
Companies with systems that collect and manage personal data are already familiar with an obligation under the Personal Data Protection Act to protect personal data by making reasonable security arrangements to prevent unauthorised access, modifications, use, etc.
The Cybersecurity Bill takes these obligations further and places important obligations on owners and controllers of computer systems. This is especially since a failure to comply with the obligations under this new law, including any directions from the Commissioner, might lead to criminal sanctions.
To prepare, it would be prudent for every organisation to determine:
- A proper topography of their computer systems as well as the identity and nature of other systems connected to or interacting with their computer systems;
- Whether your computer systems appear to fulfil the criteria of a CII;
- Whether your computer systems have the requisite systems and applications in place to detect cybersecurity threats and incidents, and to notify you as and when they occur;
- Whether your organization has the appropriate cybersecurity policies to prevent cybersecurity incidents and to guide the organization’s response in the event of a threat or incident to comply with the proposed Cybersecurity Act;
- Whether your computer system meets established cybersecurity standards and can respond to minimize and/or isolate harm in the event of an incident, including having the appropriate redundancies and business continuity contingencies in place to carry on business; and
- Whether your organization has the necessary capacity and capability to extract technical information when requested.
Many organisations depend on vendors and intermediaries for their computer systems, many of which are purchased off-the-shelf or as turnkey projects. Even technology companies rely on other organizations for technical support and services further down the technology stack. It is critical to examine the state of cooperation, contractually or otherwise, among your technical partners to assist you in complying with these obligations under the proposed Cybersecurity Act.