On 15 December 2023, Cyber Security Authority of Singapore (CSA) Announcement of draft Cybersecurity (Amendment) Bill (draft bill), Cybersecurity Act of 2018 (CS method), for public consultation. The public consultation ended on January 15, 2024.
The consultation document and draft bill can be accessed here.
The proposed changes are significant and will have an impact on Singapore’s cybersecurity landscape, which we discuss below.
background
The amendments to the Bill aim to ensure that Singapore’s cybersecurity laws are aligned with the objective of protecting Singapore from cybersecurity threats and harmful disruption.
proposed changes
Broadly speaking, the draft bill proposes to make two important changes.
- Strengthening the regulatory approach to critical information infrastructure (CII); and
- Expand the regulatory scope of the CS Act to include entities other than CII owners.
Strengthening the regulatory approach to CII
Currently, Part 3 of the CS Act primarily imposes obligations on CII owners. This regulatory approach reflects the fact that at the time of the enactment of the CS Act, the provider of essential services tended to own and operate his CII necessary for the provision of such essential services.
However, since the enactment of the CS Act, there has been a shift towards virtualization and the use of outsourced vendors (computing vendor) to serve your specific computing needs. Recognizing that CSA should promote the use of computing vendors if they can improve the delivery of essential services, CSA will We are proposing to introduce a new Part 3A to the Act.
The newly proposed Part 3A of the CS Act would allow providers of essential services to use computing vendors in the provision of essential services. However, the responsibility for the cybersecurity of critical services lies with the provider. Director of Cybersecurity (commissioner) can impose different obligations on providers of essential services designed to deliver the same cybersecurity outcomes as Part 3 of the CS Act (applicable to CII owners).[1]
To ensure that providers of essential services can meet their obligations under the CS Act, they need to obtain legally binding commitments from computing vendors. If such commitments cannot be obtained, the Secretary may order the provider of an essential service to cease using her CII that is owned by someone other than the provider.
Expanding the regulatory scope of the CS Act beyond the CII
Another important change in the CS Act relates to the expansion of the regulatory scope of the CS Act beyond the scope of CII owners and providers of essential services.
This means that, with the advancement of digitalization, Singapore’s cybersecurity environment has a wide variety of services in addition to critical services, where disruption caused by a cybersecurity incident could have a significant impact on, or even worsen, the lives of Singaporeans. It recognizes the fact that there are elements.
Accordingly, the CSA proposes to extend the CS Act to include Parts 3B, 3C, and 3D to regulate the following classes of entities:
- Leading providers of foundational digital infrastructure (FDI). These relate to critical digital infrastructure that does not fall under the CII designation, such as data center operators and cloud service providers, and could cause significant disruption and impact if compromised.
- Organizations with a special interest in cybersecurity (ESCI). These are organizations that own sensitive data that could adversely impact Singapore’s interests if compromised. For example, organizations that work with governments.and
- Owners of systems with temporary cybersecurity concerns (STCC). These are temporarily important systems, for example national vaccination systems.
Once designated, these organizations are subject to specific obligations under the CS Act as providers of essential services and CII owners. Duties imposed on these organizations include obligations to provide information to the Secretary, to comply with codes of conduct, standards of performance, or written instructions issued by the Secretary, and to notify the Secretary of specified cybersecurity incidents. will appear.
Important points
The CSA’s proposed enhanced powers will impact the cybersecurity landscape in the following ways:
- Strengthening regulatory oversight: The new designations, namely FDI, ESCI, and STCC entities, expand the scope of CSA and provide regulatory oversight of these entities’ cybersecurity approaches.
- Stricter cybersecurity standards: Stricter cybersecurity requirements will apply to a wider range of regulated entities, and penalties for non-compliance will be set out in supporting legislation.
- Enhanced incident reporting system: Cybersecurity incident reporting obligations extend beyond CII systems under the direct control of the owner or service provider.
- Increased supply chain scrutiny: Expanded regulatory oversight is likely to result in further scrutiny of cybersecurity supply chains, leading to more stringent requirements downstream by companies regulated by the CSA.
I would like to thank our trainees. charles howefor helping prepare this update.
[1] These obligations include providing information about CII owned by non-Providers, adhering to codes of conduct and standards of performance, conducting periodic audits, and responding to changes in ownership of CII owned by non-Providers or given cybersecurity incidents. This includes notifying the Secretary of the occurrence of such incidents.