The much discussed Cybersecurity Act 2018 (Act. 9 of 2018) (the Act), which was passed by the Singapore Parliament on 5 February 2018, came into force on 31 August 2018 [1]. The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity.  It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

We set out below four key points that you should know about this new Act.

Our comments on the draft Cybersecurity Bill which was released for public feedback in connection with the Public Consultation in 2017 as a pre-cursor to the Act, can be accessed here.

  1. Creation of a cybersecurity regulator

The Act provides for the appointment of a Cybersecurity Commissioner (the “Commissioner”) as a regulator for the sector.

The Act confers on the Commissioner significant powers to respond to, and prevent, cybersecurity incidents affecting Singapore. These powers include the powers of investigation such as the power to examine persons, require the production of evidence and to seize evidence. In addition, where satisfied that a cybersecurity threat meets a certain specified severity threshold, the Commissioner may require a person to carry out remedial measures or to cease certain activities.  These powers apply to all computer or computer systems in Singapore and are not limited to only Critical Information Infrastructure (CII) which is described in further detail below.

The Act also grants the Minister the power to appoint as Assistant Commissioner public officers from other government Ministries or from other regulators.   It is anticipated that Assistant Cyber Commissioners will be, in most cases, “Sector Leads” in the respective sectors, i.e., the lead government agency in charge of each CII sector. Therefore, CII owners should be familiar with the Assistant Cyber Commissioners from their existing regulatory relationships.

For example, the Assistant Cyber Commissioner for financial institutions would likely be an officer from the Monetary Authority of Singapore (MAS). Hopefully, this will help cut down the bureaucratic burden on CII owners when dealing with a new regulator for cybersecurity issues by allowing continuity and consistency of established relationships with existing regulators.

  1. Who is covered by the CyberSecurity Act – Critical Information Infrastructure

A key thrust of the Act is the imposition of cybersecurity obligations on public and private owners of CII that are used to provide essential services.  The 11 critical sectors of essential services that are identified in the Act are:

  • Energy
  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media

The Commissioner has the power to designate a computer system in these sectors to be a CII and such a designation will be effective for 5 years unless withdrawn earlier by the Commissioner.

When designating a computer system as a CII, the Commissioner will identify in its notice the legal owners of the CII as the parties that will be responsible for ensuring compliance with the Act.   The Act contains a procedure for the legal owners to then notify the Commissioner that they are not in control of the computer system or unable to make changes required to ensure compliance. In such a case, the Commissioner can amend its notice to refer to the party that does have actual control over the computer system and the power to make changes.

Parties who have been notified by Commissioner as the relevant CII owners are subject to statutory duties to comply with codes and directions, and report incidents to the Commissioner. They are also required to conduct regular audits and risk assessments for cybersecurity vulnerabilities.   There are significant criminal and civil penalties for failing to comply with these obligations.

  1. Licensing for service providers

The  Act also creates a framework for licensing and regulating service providers of certain types of cybersecurity services. The list of licensable services is set out in the Second Schedule of the Act.

This is in recognition of the fact that cybersecurity service providers are given wide ranging access to customer systems and networks and could gain a deep understanding of system vulnerabilities in the course of their work. There should therefore be some assurance concerning the ethics and standards these service providers should meet.

Licensed service providers will need to meet certain basic requirements, including being a “fit and proper” person to provide the service.   The licensed provider must retain service records for three years.   These requirements will apply to Singaporean companies as well as overseas service providers offering such services in Singapore.

As an initial step, two types of cybersecurity services have been identified as licensable –penetration testing services and managed security operations centre monitoring services.

However, as at the time of publication, the relevant provisions relating to the licensing of cybersecurity services have not come into force.

  1. Commentary

From a public policy perspective, the enactment of the new Act is timely. In recent years cybersecurity has been brought into sharp focus, with numerous ‘blockbuster’ cybersecurity incidents ranging from ransomware attacks such as WannaCry to massive data breaches such as the Equifax breach in the US. Closer to home, in what is possibly Singapore’s most serious cyberattack to-date, Singhealth, Singapore’s largest group of healthcare institutions, revealed that it was the subject of a cyberattack in late June 2018. It is believed that the cyberattack resulted in the theft of personal data belonging to 1.5 million patients, including that of the Prime Minister. These cybersecurity incidents highlight the need for a coordinated public response to these threats, which the Act seeks to address from the Singapore perspective. However, given the borderless nature of cyberspace, a coordinated international response will be required. Hopefully, the enactment of the Act will be the first step towards a coordinated international response.

From a business perspective, the largest impact arising out of this Act is likely to be the designation of CII owners and the cybersecurity obligations imposed on them. This will undoubtedly result in increased costs to CII owners.  During the Second Reading debate on the Act, the Government has sought to allay concerns regarding increased costs by pointing out that many CII owners already have cybersecurity measures in place as a result of sectoral regulations, e.g., for CII owners in the financial industry.  However, the true impact of the Act on costs remains to be seen. Apart from directly impacting the CII owners, it is likely that the obligations would have a knock on effect on other organisations involved in the technology supply chain as CII owners seek to impose contractual obligations on their partners in order to comply with the Act.  Again, this is likely to result in increased compliance costs on these organisations, which may be more significant given that these organisations may not be as well-equipped as CII owners.

In addition, the licensing of certain cybersecurity services may lead to customers being more selective as to the cybersecurity vendors they use. As the licensing regime will increase the compliance costs for licensed cybersecurity service providers, they may seek to increase their fees to recover this cost.

The coming into force of the Act also adds a further dimension to Singapore’s data privacy, cybersecurity and cybercrime legal framework. Businesses will now have to contend with the following in managing cyber risk:

  • Data Privacy – the Personal Data Protection Act 2012 (Act 26 of 2012)
  • Cybersecurity – the Act
  • Cybercrime – the Computer Misuse Act (Cap. 50A)
  • Sectoral Regulations

Navigating the legal framework can be tricky, with potential overlaps in the various legislation, which is illustrated in this diagram:

That said, on the whole, this new Act is an exciting and necessary step forward in Singapore’s journey to become a smart nation and a necessary measure to strengthen Singapore’s cybersecurity resilience.

Note: This post is an update of a previous post published on February 14, 2018.

[1] Only parts of the Act came into force on 31 August 2018; provisions relating to the licensing of cybersecurity providers were not into effect at the same time.