The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon. The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity. It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.
We set out below four key points that you should know about this new Bill.
Our comments on the draft Cybersecurity Bill which was released for public feedback in connection with the Public Consultation in 2017 as a pre-cursor to the Bill, can be accessed here.
1. Creation of a cybersecurity regulator
The Bill provides for the appointment of a Cybersecurity Commissioner (the “Commissioner”) as a regulator for the sector.
The Bill confers on the Commissioner significant powers to respond to, and prevent, cybersecurity incidents affecting Singapore. These powers include the powers of investigation such as the power to examine persons, require the production of evidence and to seize evidence. In addition, where satisfied that a cybersecurity threat meets a certain specified severity threshold, the Commissioner may require a person to carry out remedial measures or to cease certain activities. These powers apply to all computer or computer systems in Singapore and are not limited to only Critical Information Infrastructure (CII) which is described in further detail below.
The Bill also grants the Minister the power to appoint as Assistant Commissioner public officers from other government Ministries or from other regulators. It is anticipated that Assistant Cyber Commissioners will be, in most cases, “Sector Leads” in the respective sectors, i.e., the lead government agency in charge of each CII sector. Therefore, CII owners should be familiar with the Assistant Cyber Commissioners from their existing regulatory relationships.
For example, the Assistant Cyber Commissioner for financial institutions would likely be an officer from the Monetary Authority of Singapore (MAS). Hopefully, this will help cut down the bureaucratic burden on CII owners when dealing with a new regulator for cybersecurity issues by allowing continuity and consistency of established relationships with existing regulators.
2. Who is covered by the CyberSecurity Bill – Critical Information Infrastructure
A key thrust of the Bill is the imposition of cybersecurity obligations on public and private owners of CII that are used to provide essential services. The 11 critical sectors of essential services that are identified in the Bill are:
- Banking and finance
- Security and emergency services
- Land transport
The Commissioner has the power to designate a computer system in these sectors to be a CII and such a designation will be effective for 5 years unless withdrawn earlier by the Commissioner.
When designating a computer system as a CII, the Commissioner will identify in its notice the legal owners of the CII as the parties that will be responsible for ensuring compliance with the Bill. The Bill contains a procedure for the legal owners to then notify the Commissioner that they are not in control of the computer system or unable to make changes required to ensure compliance. In such a case, the Commissioner can amend its notice to refer to the party that does have actual control over the computer system and the power to make changes.
Parties who have been notified by Commissioner as the relevant CII owners are subject to statutory duties to comply with codes and directions, and report incidents to the Commissioner. They are also required to conduct regular audits and risk assessments for cybersecurity vulnerabilities. There are significant criminal and civil penalties for failing to comply with these obligations.
3. Licensing for service providers
The Bill also creates a framework for licensing and regulating service providers of certain types of cybersecurity services. The list of licensable services is set out in the Second Schedule of the Bill.
This is in recognition of the fact that cybersecurity service providers are given wide ranging access to customer systems and networks and could gain a deep understanding of system vulnerabilities in the course of their work. There should therefore be some assurance concerning the ethics and standards these service providers should meet.
Licensed service providers will need to meet certain basic requirements, including being a “fit and proper” person to provide the service. The licensed provider must retain service records for three years. These requirements will apply to Singaporean companies as well as overseas service providers offering such services in Singapore.
As an initial step, two types of cybersecurity services have been identified as licensable –penetration testing services and managed security operations centre monitoring services.
4. When will the Bill come into force?
The coming into force of the Bill (or provisions thereof) is a question for the Minister in charge to decide. Typically, there is a lead time of a couple of months in order for the public to take steps to be ready to comply with new legislation before the date of its coming into force is published in the Government Gazette.
In the case of the Bill, given that cybersecurity is a major focus and concern of the Government, it is likely that the Bill will come into force sooner rather later. The Act may come into force as early as Q2 this year. At the public consultation last year, the government published a draft version of the Bill, which would have given affected organisations lead time to prepare to comply with the Bill. This will likely affect the government’s assessment of the date on which it would be appropriate for the Bill to come into force.
From a public policy perspective, the enactment of the new Bill is timely. The year of 2017 brought cybersecurity into sharp focus, with numerous ‘blockbuster’ cybersecurity incidents ranging from ransomware attacks such as WannaCry to massive data breaches such as the Equifax breach in the US. These cybersecurity incidents highlight the need for a coordinated public response to these threats, which the Bill seeks to address from the Singapore perspective. However, given the borderless nature of cyberspace, a coordinated international response will be required. Hopefully, the enactment of the Bill will be the first step towards a coordinated international response.
From a business perspective, the largest impact arising out of this Bill is likely to be the designation of CII owners and the cybersecurity obligations imposed on them. This will undoubtedly result in increased costs to CII owners. During the Second Reading debate on the Cybersecurity Bill, the Government has sought to allay concerns regarding increased costs by pointing out that many CII owners already have cybersecurity measures in place as a result of sectoral regulations, e.g., for CII owners in the financial industry. However, the true impact of the Bill on costs remains to be seen. Apart from directly impacting the CII owners, it is likely that the obligations would have a knock on effect on other organisations involved in the technology supply chain as CII owners seek to impose contractual obligations on their partners in order to comply with the Bill. Again, this is likely to result in increased compliance costs on these organisations, which may be more significant given that these organisations may not be as well-equipped as CII owners.
In addition, the licensing of certain cybersecurity services may lead to customers being more selective as to the cybersecurity vendors they use. As the licensing regime will increase the compliance costs for licensed cybersecurity service providers, they may seek to increase their fees to recover this cost.
On the whole, this new Bill is an exciting step forward in Singapore’s journey to become a smart nation and a necessary measure to strengthen Singapore’s cybersecurity resilience.
 As of the date of this post, the Singapore government has not announced the date upon which the Cybersecurity Bill would come into force.