Duties of CII owners

A computer system is considered CII under the Bill if it is “necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the national security, defense, foreign relations, economy, public health, public safety or public order of Singapore.” “Essential services” here refers to 11 critical sectors: government, security and emergency, health care, telecommunications, banking and finance, energy, water, media, land transport, air transport, and maritime. CII owners in sectors such as banking and finance and telecommunications may already have in place cybersecurity measures required by sector-specific regulations.

The CSA Commissioner for Cybersecurity has the authority to designate a computer system as CII via a written notice. Once a computer system is designated, the CII owner must, among other things, notify the Commissioner of significant cybersecurity incidents, changes in CII ownership 90 days prior to the intended date of change, and changes to the design, configuration, security or operation of the CII. The CII owner is also required to conduct cybersecurity audits and risk assessments every three years to comply with legislation and related codes of practice.

Following the release of the Bill, Dr Yaacob Ibrahim from MCI answered questions from Members of Parliament on different aspects of the Bill. According to Minister Ibrahim, organizations are not required to self-assess whether their computer systems will be deemed CII, and CII owners will be given an opportunity to submit representations to the Commissioner or appeal to the MCA against a CII designation. The Minister’s decision on an appeal will be final. Since new essential services may arise in the future, the MCI may amend the existing list of essential services if necessary.

Investigation power of CSA

All organizations, regardless of whether they are CII owners, are required to cooperate with the CSA during the investigation of cybersecurity threats and incidents in Singapore. The Commissioner has the power to: (i) take written statements from any persons concerning a cybersecurity incident or threat; (ii) require any persons to produce physical or electronic records that are relevant to the investigation; and (iii) examine orally any person with knowledge of a cybersecurity incident or threat and reduce to writing any statement made by the person examined.

For serious cybersecurity incidents and threats, an organization may be required to: (i) preserve the state of the computer or computer system by not using it; (ii) monitor the computer system for a specified period of time; (iii) perform a scan of the computer system to detect cybersecurity vulnerabilities; (iv) allow the investigating officer to install on the computer system any software program or to interconnect any equipment to the computer system; (v) take a copy of, or extracts from, any electronic record or program contained in a computer that the investigating officer has reasonable cause to suspect is impacted by the incident; and/or (vi) with the consent of the owner, take possession of any computer or other equipment for the purpose of carrying out further examination or analysis. To aid in the detection of cybersecurity threats, information such as network logs, indicators of compromise, and system event and audit logs may be requested.

Minister Ibrahim assured that the powers under the Bill are not intended to intrude into individuals’ privacy as information and measures required under the Bill mainly target cybersecurity threats and are primarily not personal in nature.

Licensing regime

The new Bill requires two types of cybersecurity services to obtain a license from the CSA:

(1) Investigative cybersecurity services (e.g., penetration testing services and forensic analysis) whereby security controls are circumvented to provide a deeper level of access to the computer system to test for vulnerabilities.

(2) Non-investigative cybersecurity services, such as monitoring the security of a computer system or assessing compliance with an organization’s cybersecurity policy.

Cybersecurity services other than these two categories targeted by the Bill will still need to comply with other laws in Singapore, such as the Computer Misuse Act.

The licensing requirements do not apply if the cybersecurity services are sourced internally. Thus, if an individual is employed by a business to provide cybersecurity services to that business (and not anyone else), then a license is not required.

The proposed licensing framework intends to reduce the security risks to cybersecurity service providers. If individuals or organizations operate without the appropriate licenses, fines and jail terms may be imposed. Additionally, unlicensed providers will not be entitled to initiate legal proceedings to recover any commission, fee, gain, or reward for services provided during the period in which the provider did not have the appropriate license.

Statutory fines

The maximum penalty under the Bill for non-compliance is S$100,000 (US$75,792) or two years imprisonment, or both. The Commissioner is authorized to request that CII owners cooperate and provide necessary data and information so that the Commissioner can investigate cybersecurity incidents and threats to assess their potential impact. Violations would lead to maximum penalties of S$5,000 (US$3,789) or six months imprisonment, or both.

Conclusion

Singapore has been a popular choice of jurisdiction for data centers serving the Asia Pacific region, a market worth an estimated US$934 million in 2017, and with a compound annual growth rate that is estimated to be 12 percent by 2021 according to a study released by Structure Research. The passing of the Bill has particular significance given the large amount of business and personal data stored and processed in the country.

From a compliance perspective, businesses likely to be deemed CII and businesses susceptible to cybersecurity attacks should carefully consider the reporting obligations under the Bill by, among others thing, reexamining their existing cybersecurity intrusion detection systems and incident response plans.

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

Client Alert 2018-046