New cybersecurity Bill passed allows for the Singapore Commissioner of Cybersecurity to exercise extensive investigatory powers into suspected cyber threats and incidents to critical information infrastructures (CII).
The new Bill
Following the global rise in cybersecurity threats and a series of high profile cyber-attacks in Singapore last year, including an attack on the Defence Ministry as well as a number of other attacks on universities and financial institutions, a new cybersecurity Bill was passed on the 5th February 2018 in Singapore’s parliament in order to safeguard essential services operating critical information infrastructures (CII) from cyber-attacks and increase oversight, control and visibility.
CIIs are defined as computers or computer systems that are necessary for the continuous delivery of essential services which have been expressively deemed as such by the Commissioner. The designation of a CII by the Commissioner is effective for a five-year period; however, CII owners will have the opportunity to submit an appeal against the CII designation.
When the new law comes into force, it will provide a legal framework for the regulation, oversight and monitoring of cybersecurity threats to CIIs, with an emphasis on the 11 key sectors identified within the Bill, which include organisations functioning in the energy, telecoms, water, health and banking sectors. The Bill also provides the new Commissioner of the Cyber Security Agency of Singapore (CSA) the powers to investigate, seize evidence and report on security incidents of local organisations, as well as the authority to decide what certifications a company needs to be equipped with.
Under the new law, CII owners are required to comply with a number of statutory codes of practice. These include the prompt reporting of cybersecurity related incidents to the CSA and the implementation of processes and procedures to detect and respond to such threats.
CII owners are obligated to disclose upon request any information required by the Commissioner, not doing so may result in a breach of statutory obligations.
Additionally, owners of CIIs will also need to submit cybersecurity audits at least once every two years and undergo regular risk assessments.
Failure to provide information and comply with incident reporting requirements from the CSA will be considered as an offence that could result in the maximum penalty charge of $100,000 (SGD) or two years imprisonment or even both. However, organisations that experience security breaches but comply with the policies set out by the Bill but will not be subjected to any fines.
The new law provides a licencing framework which requires suppliers of cybersecurity services that offer penetration testing and run security operation centres (SOC) to obtain a licence from the CSA.
Addressing the concerns
During a three-hour long debate on this landmark Cybersecurity bill, concerns were raised by a number of Singapore MPs, including the cost implications the Bill will have on businesses of all sizes. There is a worry some CII owners will have to bear significant financial burdens for enhancing cyber-security measures to comply with the new law which could possibly lead to some of the cost trickling down to customers.
In response to this concern, the Minister for Communication and information, Yaacob Ibrahim stated that the Government will bear a great deal of the cost of strengthening cybersecurity and improving responses to incidents and threats at the national level.
Another concern raised by MPs in the debate was that the powers to investigate computer systems granted to the Commissioner by the Bill could lead to possible intrusions on personal privacy. Minister Ibrahim addressed these concerns by assuring there are limits to the investigatory powers that can be exercised, however this depends heavily on the severity of the incident.
Yaacob Ibrahim continued to state that the measures permitted by the Bill are not intended to intrude personal privacy, and information required by CII to deal with threats would primarily be technical as opposed to personal.
Does the new Bill affect those outside of Singapore?
In short, the answer is no. The new law will not have any effect on systems located outside of Singapore. However, owners of CII that are partially situated in Singapore will still have to abide by the requirements set out under the Bill.
As stated by Yaacob Ibrahim “Given Singapore’s interconnectivity, it is inevitable that some computer systems serving important functions in Singapore are connected globally and may also be located wholly outside Singapore. These computer systems could also be operated by international organisations based abroad.”
“While Singapore may be able to work with these international organisations to ensure the cybersecurity of the systems in question, we cannot control such systems by designating them as CII under the Bill as they are outside our jurisdiction. There may also be potential conflicts with other countries’ regulatory regimes,”
To enable investigations into cyberattacks and incidents that may have initiated in another country, Singapore’s government have formed strong relationships with Computer Emergency Response Teams overseas which the CSA will work closely with.
How can we help?
If you think this Bill will affect you but are unsure of the steps to take, get in touch and speak with one of our consultants based in Asia. At Commissum, we pride ourselves in our expertise and strive to provide the most up to date knowledge to keep clients at the forefront of regulation and give them with what they need to protect their data.
If you have any questions about how the new Singapore Cybersecurity Bill could affect you, or about how best to futureproof against the impending legislation, please get in touch.