Search for:
Cybersecurity, Data and Tech

Singapore: Cyber Security Agency introduces Draft Cybersecurity (Amendment) Bill

By 6 Mins Read

In brief

The Cyber Security Agency (CSA) has published a consultation paper on the proposed Cybersecurity (Amendment) Bill (CAB), which would amend the Cybersecurity Act 2018 (CA). The CAB seeks to strengthen the legal framework governing the maintenance of national cybersecurity in Singapore, against the pressing need for legislation to effectively address the fast-developing technological environment. 

Contents

  1. Background
  2. Key changes in the CAB
  3. Key takeaways

Background

Since the implementation of the CA in 2018, Singapore’s business landscape has undergone further digital transformation, with businesses incorporating technological tools such as cloud computing and adopting novel business models that increasingly engage third-party service providers within the supply chain.

Rapid digitalisation thus poses new cyber-threat risks and considerations, which the CAB seeks to address to update and safeguard the security of Singapore’s cyberspace.

Key changes in the CAB

1. Expanding the definition of the critical information infrastructure (CII) by introducing a separate category of “non-provider-owned CII”

Currently, the CA regulates CII, which are computers or computer systems that are necessary for the continuous delivery of essential services in Singapore. CII tends to be owned by providers of essential services, but providers have increasingly been engaging vendors to provide computing services, and these computers or infrastructure share the same cybersecurity exposure as CII. The CAB thus proposes to broaden CII-related obligations to encompass situations involving “non-provider-owned CII”.

The responsibility for the cybersecurity of the essential service will still rest with the provider of the essential service. The provider of the essential service will be required to, amongst other things, provide the Commissioner with information on non-provider-owned CII and obtain various legally binding commitments from its computing vendor to ensure that the provider of the essential service is able to discharge its duties under the Act.

2. Expanding the scope of incident reporting

Considering the increasing sophistication of threat actors that target innocuous connections to access critical networks, in relation to provider-owned CII, the CAB seeks to impose wider duties on providers to report incidents on any part of the network under the provider’s control, or incidents in respect of the network under the control of a supplier to the owner that is interconnected or communicates with the provider-owned CII, as opposed to incidents relating specifically to the provider-owned CII.

The expanded scope of incident reporting aims to bolster the CSA’s situational awareness of the risks of disruption to essential services, enabling the CSA to pre-emptively identify and mitigate such threats.

3. Broaden the Commissioner of Cybersecurity’s purview beyond CII owners to include three new categories

The CAB proposes to extend the regulatory oversight of the Commissioner to include key systems to Singapore’s cyber ecosystem that are not classified as CII.

The three new categories are as follows:

  • Foundational Digital Infrastructure services (FDI)
    • Digital infrastructure that promotes the availability, latency, throughput or security of digital services, including those providing cloud computing or data centre facility services.
    • The CSA may designate the provider of an FDI service as a “major FDI service provider” if it is satisfied that (i) the service is provided to or from Singapore, and (ii) any impairment or loss of the FDI service could lead to disruption to a large number of businesses or organisations that rely on or are enabled by the FDI service.
  • Entities of Special Cybersecurity Interest (ESCI)
    • Entities that handle sensitive data or perform critical functions for Singapore which, if disrupted, are expected to result in significant detriment to the defence, foreign relations, economy, public health, public safety or public order of Singapore.
  • Systems of Temporary Cybersecurity Concern (STCC)
    • Computer systems that are temporarily critical to Singapore’s interests, but are at high risk of cyber-attacks during this critical period. 
    • The CSA may designate a computer or computer system as an STCC for a period of up to one year if it is satisfied that the risk of cyberattack is high and that compromise or loss of the STCC will result in a significant detriment on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.

The three categories of FDI services, ESCI and STCC will be subject to several duties, which include the provision of cybersecurity-related information to the CSA and notification of the CSA of any prescribed cybersecurity incidents. Further, these systems are to be subject to further incident reporting requirements and applicable cybersecurity standards.

Non-compliance with obligations concerning FDI services and ESCI may result in financial penalties, while non-compliance relating to STCC is proposed to amount to an offence.

4. Strengthen Licensing Officers’ powers

Under Part 5 of the present CA, persons engaging in the business of providing licensable cybersecurity services (e.g., penetration testing) must obtain a cybersecurity service provider’s licence, and the terms and grant of the licence are determined by licensing officers. The CAB will amend the CA to confer licensing officers with monitoring powers, such as powers to enter, inspect and examine licensees’ place of business and records.

Key takeaways

The proposed amendments to the CA seek to keep pace with developments in technology and industry practices, as well as the consequential increase of cybersecurity challenges. Operators of cloud services and data centres may also need to evaluate the impact of obligations outlined in the CAB. Businesses will need to remain alert to future developments and adopt a flexible attitude in operationalising necessary changes. Finally, as alluded to in the CAB, the CSA is likely to provide further clarity through the publication of additional codes of conduct and guidelines.

* * * * *

LOGO_Wong&Leow_Singapore

© 2024 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Categories:
Author

Andy Leck is the head of the Intellectual Property and Technology (IPTech) Practice Group and a member of the Dispute Resolution Practice Group in Singapore. He is a core member of Baker McKenzie's regional IP practice and also leads the Myanmar IP Practice Group. Andy is recognised by reputable global industry and legal publications as a leader in his field. He was named on "The A-List: Singapore's Top 100 lawyers" by Asia Business Law Journal 2018. In addition, Chambers Asia Pacific notes that Andy is "a well-known IP practitioner who is highlighted for his record of handling major trade mark litigation, as well as commercial exploitation of IP rights in the media and technology sectors. He's been in the industry for a long time and has always been held in high regard. He is known to be very fair and is someone you would like to be in the trenches with you during negotiations." Furthermore, Asian Legal Business acknowledges Andy as a leading practitioner in his field and notes that he “always gives good, quick advice, [is] client-focused and has strong technical knowledge for his areas of practice.” Andy was appointed by the Intellectual Property Office of Singapore (IPOS) as an IP Adjudicator to hear disputes at IPOS for a two-year term from April 2021. He has been an appointed member of the Singapore Copyright Tribunal since May 2010 and a mediator with the WIPO Arbitration and Mediation Center. He is also appointed as a Notary Public & Commissioner for Oaths in Singapore. He previously served on the International Trademark Association’s Board of Directors and was a member of the executive committee.

Author

Ren Jun Lim is a principal with Baker McKenzie Wong & Leow. He represents local and international clients in both contentious and non-contentious intellectual property matters. He also advises on a full range of healthcare, as well as consumer goods-related legal and regulatory issues. Ren Jun co-leads Baker McKenzie Wong & Leow's Healthcare as well as Consumer Goods & Retail industry groups. He sits on the Law Society of Singapore IP Committee and on the Executive Committee of the Association of Information Security Professionals. He is also a member of the Vaccines Working Group, Singapore Association of Pharmaceutical Industries, a member of the International Trademark Association, as well as a member of the Regulatory Affairs Professionals Association. Ren Jun is ranked in the Silver tier for Individuals: Enforcement and Litigation and Individuals: Prosecution and Strategy, and a recommended lawyer for Individuals: Transactions by WTR 1000, 2020. He is also listed in Asia IP's Best 50 IP Expert, 2020, recognised as a Rising Star by Managing IP: IP Stars, 2019 and one of Singapore's 70 most influential lawyers aged 40 and under by Singapore Business Review, 2016. Ren Jun was acknowledged by WTR 1000 as a "trademark connoisseur who boasts supplementary knowledge of regulatory issues in the consumer products industry." He was also commended by clients for being "very responsive to enquiries and with a keen eye for detail, he is extremely hands-on. His meticulous and in-depth approach to strategising is key to the excellent outcomes we enjoy."

Author

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is regularly ranked as a leading TMT and competition lawyer by top legal directories, including Chambers Asia Pacific and Legal 500 Asia Pacific. Ken is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators.

Related Posts

Write A Comment