Background
Under the new licensing framework, CSPs providing penetration testing services and managed security operations centre monitoring services will have to apply for a licence by 11 October 2022 (six months from the date the framework came into force). The aims of the licensing framework are to:
- Address the information asymmetry between consumers and CSPs
- Better safeguard consumers’ interests
- Improve CSPs’ standards
The licensing framework was developed with input from a public consultation conducted in September and October 2021 on how the CSA can achieve the three aims of the licensing framework.
The licensing framework supports the objectives of the CS Act, which established oversight and maintenance of Singapore’s cybersecurity through measures for cybersecurity incident response, as well as regulations for infrastructure owners and CSPs, in 2018. The four objectives of the CS Act are to:
- Strengthen the protection of critical information infrastructure against cyber-attacks
- Authorise the CSA to prevent and respond to cybersecurity threats and incidents
- Establish a framework for sharing cybersecurity information
- Establish a light-touch licensing framework for CSPs
CS Act licensing framework
The licensing framework is set out in Part 5 of the CS Act. Under section 49 of the CS Act, a CSP may continue its business until it receives the outcome of its license application or until 11 October 2022, whichever comes first.
The licensing framework requires CSPs to:
- Abide by standards set out in their license conditions
- Record information
- Notify changes to the CSA (see sections 27 and 29 of the CS Act)
The licensing framework adopts a light-touch approach by prioritising penetration testing services and managed security operations centre monitoring services in the Second Schedule of the CS Act. This prioritisation reflects the relevant CSPs’ significant access to clients’ computer systems and sensitive information. Any abuse of access can be highly disruptive, and exploitation of the two services can significantly impact the overall cybersecurity landscape in Singapore.
Although the licensing framework’s details have not been introduced in subsidiary legislation, draft subsidiary legislation provided in the 2021 public consultation gives an overview of what to expect. In terms of professional conduct, licensees must maintain confidentiality of clients’ information, exercise due care and skill and act with honesty and integrity. In terms of provision of information, licensees must provide information about their services upon the CSA’s request. Finally, licensees must notify the CSA of any changes relating to the honesty, integrity and financial soundness of their businesses as well as changes to their key executive officers so that the CSA can ensure all officers are fit and proper.
To implement the licensing framework, the CSA has set up the Cybersecurity Services Regulation Office (CSRO). The CSRO will enforce the new licensing framework, respond to queries and share resources on licensable cybersecurity services. If CSPs continue their businesses without a licence, they are liable on conviction to a fine not exceeding S$50,000, imprisonment not exceeding two years or both under section 24 of the CS Act.
Next steps
CSPs should refer to the draft subsidiary legislation in the 2021 public consultation and keep up to date with information released by the CSRO and subsidiary legislation under the CS Act so that they can quickly comply. If any additional licensable cybersecurity services are added to the Second Schedule of the CS Act in the future, CSPs should take note and apply for the necessary licenses.
The licensing framework provides greater clarity on the standards expected of CSPs under the CS Act and continues the light-touch regulation of key services in the cybersecurity industry. The clarity and regulation help distinguish CSPs that follow industry best practices and increase consumer confidence in the service standards they can expect.
Our recognised cybersecurity lawyers are experienced and highly familiar with the sector’s latest developments. If you wish to discuss any aspects of the licensing framework, please reach out to our team below or your usual Reed Smith contact.
Client Alert 2022-114