Introduction
The Cyber Security Agency (the CSA) has launched a public consultation on amendments to the Cybersecurity Act 2018 (the Act). The public consultation ends on 15 January 2024.
Scope of the Cybersecurity Act 2018
The Act is Singapore’s legal framework for the supervision and maintenance of national cybersecurity, setting out measures to prevent, manage and respond to cybersecurity threats and incidents. The Act also sets out regulations for owners of critical information infrastructure (CII) and cybersecurity service providers. CII refers to computers or computer systems necessary for the continuous delivery of essential services, loss or compromise of which will have a debilitating effect on the availability of these services in Singapore.
In response to a changing cybersecurity environment, the CSA has reviewed the Act for the first time since its enactment to:
- ensure that it remains relevant to evolving technology and business models;
- extend its coverage beyond CII to address the broader ecosystem where digital technologies are ubiquitous and exposed to growing cyber threats; and
- respond to evolving cybersecurity challenges by ensuring that the Commissioner of Cybersecurity has early and timely information regarding cybersecurity vulnerabilities, threats and incidents.
Scope of the Cybersecurity (Amendment) Bill
The Cybersecurity (Amendment) Bill (the Bill) introduces changes in three areas:
- updates CII regulation to allow CII owners to leverage new technologies such as cloud services via vendors; enhances reporting and onsite inspection requirements; and allows the Commissioner of Cybersecurity to grant time extensions for compliance with the Act;
- extends the supervisory remit of the Commissioner of Cybersecurity to issue cybersecurity standards of practice; requires reporting of cybersecurity incidents; and issues directions regarding the cybersecurity of regulated entities’ computer systems; and
- provides for future cybersecurity standards to safeguard Singapore’s digital economy and digital way of life.
These three areas of change contribute towards expanding the scope of the Bill. For CII, systems located wholly overseas will come within the scope of regulation to prevent entities from using offshoring to avoid CII duties.
The changes also introduce new categories of regulated entities: “foundational digital infrastructure” (FDI) service providers, “entities of special cybersecurity interest” (ESCI) and “systems of temporary cybersecurity concern” (STCC). The new categories reflect the reality that cybersecurity threats target more than CII today and other entities could suffer cybersecurity attacks that cause significant detrimental outcomes in Singapore.
FDI service provider regulation allows the CSA to ensure that the underlying digital services behind CII and other computer systems meet availability, latency, throughput and security requirements.
ESCI regulation allows the CSA to impose regulations on entities that may not own CII but still operate computer systems that possess sensitive data or have important functions that are attractive to malicious actors.
STCC regulation allows the CSA to have more flexibility to impose requirements only when needed, such as in high-profile international events and pandemics.
Essential service providers will have to extract legal undertakings that operators of such non-CII owned regulated entities will be able to adhere to their obligations under the Bill.
Conclusion
The Bill is timely in expanding existing regulations and identifying new areas to secure in today’s digital landscape. Owners and operators of computer systems should keep up to date with the new categories of regulated entities and prepare to accept compliance measures if they become designated as such.
Client Alert 2024-005