The Singapore government has issued its long-awaited draft Cybersecurity Bill for public consultation. In light of the global increase in cybersecurity threats, the draft bill seeks to provide a framework for national cybersecurity and protect critical information infrastructure against cybersecurity threats. The provision of certain investigative and non-investigative cybersecurity services will also now be regulated under the draft bill. Click here for a detailed alert on the topic.

Key points to note

A Commissioner of Cybersecurity will be responsible for:

  • advising the Government in respect of cybersecurity matters
  • monitoring cybersecurity threats or cybersecurity incidents that may threaten Singapore's national security
  • identifying and designating Critical Information Infrastructure
  • establishing cybersecurity codes of practice and standards of performance for CII owners to comply with
  • cooperating with Computer Emergency Response Teams internationally on cybersecurity incidents.

The Commissioner will have broad powers of investigation in the event it receives information regarding a cybersecurity threat.

The protection of Critical Information Infrastructure (CII) is a key focus of the draft bill and will significantly affect owners of CII. Key points to note include:

  • The Commissioner may designate a computer or computer system as CII if it fulfils certain criteria and the computer or computer system is located wholly or partly in Singapore. Such designation takes affect for 5 years unless successfully appealed or withdrawn early.

  • The draft bill imposes various burdensome obligations on owners of CII including that they must provide to the Commissioner information on the design, configuration and security of the CII, comply with codes of practice and standards of performance, notify the Commissioner of certain significant cybersecurity incidents, undertake regular risk assessments and audits every 3 years, and participate in national cybersecurity exercises.

Persons carrying out any licensable cybersecurity services for reward will need to obtain a licence and comply with reporting obligations under the draft Bill. Such licensable cybersecurity services have been specified and include penetration testing service as a licensable investigative cybersecurity service and managed security operations centre (SOC) monitoring service as a licensable non-investigative cybersecurity service.

How this may affect you

Organisations that have computers or computer systems necessary for the continuous delivery of essential services which Singapore relies on may potentially be designated as CII. The draft bill covers not only traditional IT systems but also "an operational technology system such as an industrial control system (ICS), a programmable logic controller (PLC), a supervisory control and data acquisition (SCADA) system, or a distributed control system (DCS)", which could cover new IoT technology.

If designated as CII, there are a number of duties imposed on owners of such CII which organisations would need to be prepared to comply with, as highlighted above. Please get in touch if you have any questions on the draft bill or wish to provide feedback to the consultation (deadline: 3 August 2017). The draft bill and the public consultation document are available here.