Singapore has taken a step closer to passing its first Cybersecurity Act. On 8 January 2018, Singapore’s first Cybersecurity Bill was read in Parliament. This Bill is an updated version, and was revised following a public consultation process on the initial draft Bill in July 2017. The government received 92 submissions from a diverse range of stakeholder groups, and the consultation was extended in response to requests for more time to provide feedback, reflecting the level of interest in this legislation.
This updated Bill is a timely and important development in view of increasingly sophisticated cyber-attacks that could potentially cause major disruptions to Singapore’s economy. The intention behind this Bill is to have a coordinated national approach to cybersecurity, and ensure that critical information infrastructure (CII) across all sectors are protected consistently. We summarised the key provisions in the previous Bill in our earlier post. In this post, we summarise the key changes introduced by the updated Cybersecurity Bill:
What has changed?
1. Critical information infrastructure. This updated Bill tightens certain important definitions, and acknowledges that the owners of CII may not always be best placed to ensure that the statutory obligations are fulfilled. The key changes are as follows:
- Definition of CII. The definition of CII has been tightened and will only include those computer or computer systems that have been designated as such by the Commissioner.
- Definition of owners of CII. Owners of CII, who will need to comply with the relevant statutory obligations under the Bill, are now defined as legal owners (instead of someone with effective control over the CII etc.). The Cyber Security Agency of Singapore (CSA), in its end-of-consultation report, further clarified that computer systems in the supply chain supporting the operation of a CII will not be designated as CII, and therefore third party vendors will not be considered owners of CII. These are positive developments as there is now certainty over the imposition of statutory obligations.
- Responsibility for compliance. There is also now a mechanism for owners of CII to request the Commissioner to address the notice for compliance to another person under certain conditions (e.g. if the owner does not have effective control over the operations of the CII). This acknowledges that owners may not also be operators of the CII, and are hence not best placed to ensure that the statutory obligations are fulfilled.
2. Government power to access data. Some of the responses expressed concerns about the government’s broad rights to access information and systems. However, the broad powers granted to the Commissioner to access physical and digital assets have, if anything, been increased further. Although the degree of these powers still depends on the severity of the situation, the relevant severity thresholds have been lowered. For example, the Commissioner can exercise a set of more intrusive powers if there is a risk of significant harm, instead of a real risk of significant harm.
3. Information Sharing. Although the framework for the sharing of cybersecurity information between the CSA and stakeholders remains, there is now an exemption for disclosure of information protected by law or rules of professional conduct (e.g. legal professional privilege). However, contractual confidentiality obligations will not excuse the disclosure of such information. Nonetheless, such disclosure, with reasonable care and in good faith for the purposes of compliance with the Bill, will not constitute a breach of that contractual obligation.
4. Licensing of Cybersecurity Service Providers. To strike a balance between industry development and security needs, the licensing framework for cybersecurity service providers has been simplified. The key changes are as follows:
- Licensing regime. There is now only one licensing regime instead of two, and the distinction between “investigative” and “non-investigative” cybersecurity services has been removed. This is a positive development, allows the Bill to be more future-proof, and enables it to stay relevant as cybersecurity services continue to evolve.
- Employee exemption. Individuals who are employed to provide cybersecurity services are no longer subject to separate licensing requirements. Only service providers who are in the business of providing cybersecurity services, whether individual or business entities, have to comply with licensing requirements.
- Related company exemption. In addition, intra-group cybersecurity services will also fall outside the licensing regime.
Before this Bill becomes law, there would typically be two more readings of it in Parliament. The Second Reading will occur at the next available sitting of Parliament. After the Bill is passed, the CSA will work on the implementing regulations, which will likely include further details on the scope of CII and the licensing requirements and process for cybersecurity service providers.
As Singapore moves along its goal to become a Smart Nation, we will become increasingly dependent on technology and concurrently more vulnerable to the impact of cybersecurity attacks. The Bill provides a framework for oversight and response to cyber threats and incidents which will be an important part of Singapore’s Smart National vision.
With thanks to Matt Pollins
CMS in Singapore is a full service office that services the Asia-Pacific region. It advises international and national businesses doing business with, and in, Singapore and Asia-Pacific. CMS is licensed in Singapore as a foreign law practice. CMS operates as CMS Holborn Asia pursuant to a Formal Law Alliance with Holborn Law LLC, a Singapore law practice. Where advice on Singapore law is required, this may be provided by members of Holborn Law LLC as appropriate.