Introduction
The Singapore Parliament passed the Cybersecurity (Amendment) Bill (the Bill) on 7 May 2024, amending the Cybersecurity Act 2018 (the Act). The Act is Singapore’s legal framework for the supervision and maintenance of national cybersecurity by the Cyber Security Agency of Singapore (CSA), setting out measures to prevent, manage and respond to cybersecurity threats and incidents, and the Bill seeks to extend the scope of the Act over new technologies and business models that have emerged over the past few years.
The Bill recognises that providers of essential services may operate critical computer systems overseas or rely on third party vendors to operate their critical information infrastructure (CII). These systems and CII may now be designated by the CSA, with responsibility remaining with the providers of essential services in Singapore.
The Bill also introduces new categories of regulated entities and computer systems: foundational digital infrastructure (FDI) service providers, entities of special cybersecurity interest (ESCI) and systems of temporary cybersecurity concern (STCC). The new categories reflect the reality that cybersecurity threats target more than CII today and other entities could suffer cybersecurity attacks that also cause significant detrimental effect in Singapore.
FDI service provider regulation allows the CSA to ensure that the underlying digital services behind CII and other computer systems meet availability, latency, throughput and security requirements.
ESCI regulation allows the CSA to impose regulations on entities which may not own CII, but still operate computer systems that possess sensitive data or have important functions that are attractive to malicious actors.
STCC regulation allows the CSA to have more granularity and impose requirements only when needed, such as high-key international events and pandemics.
Public consultation
The Bill was published for public consultation in January 2024. In response to feedback from the consultation.
Future regulation
Following the passing of the Bill, the Ministry of Communications and Information (“MCI”) is expected to shift focus to introducing the new Digital Infrastructure Act (DIA). The DIA complements the Act: while the Act focuses on the delivery of essential services, the DIA will cover digital risks for other entities which do not deliver essential services but are still relied on heavily, such as data centres that power digital banking services and cloud computing services. We expect the MCI to conduct further consultations with industry stakeholders so that the DIA comprehensively addresses risk prevention and effective recovery while remaining consistent with existing requirements under the Act and related legislation.
Conclusion
Owners and operators of computer systems and providers of essential services should keep up to date with the new categories of regulated entities and computer systems, and ensure that they work with their vendors to comply with the requirements under the Act.
Our technology lawyers are experienced and highly familiar with the latest developments in the sector. If you wish to discuss any aspects of this alert, please reach out to our team below or your usual Reed Smith contact.
Client Alert 2024-106