The Cybersecurity (Amendment) Bill was passed by the Singapore Parliament on 7 May 2024. The passing of such a bill is vital to Singapore’s cybersecurity landscape and her continued progression as a digitally advanced nation. In this brief article, we have summarised the main points of the Cybersecurity (Amendment) Bill below.
1. Who does the Cybersecurity Act affect?
Currently, the Cybersecurity Act applies to Critical Information Infrastructure (“CII”) located wholly or partly in Singapore.
Going forward, once the amendments under the Cybersecurity (Amendment) Bill are in force, the Cybersecurity Act would apply to CIIs, owners of Systems of Temporary Cybersecurity Concern (“STCC”), Entities of Special Cybersecurity Interest (“ESCI”) and Foundational Digital Infrastructure service providers (“FDI”).
2. How do the amendments affect CIIs?
CIIs are critical computer systems that are necessary for the continuous delivery of an essential service in Singapore; the loss or compromise of such computer systems would have a debilitating effect on the availability of the relevant essential service in Singapore. Examples of a CII include essential services such as utility supplies and banking services. The list of CII owners is not publicly published.
The amendments affecting CIIs are as follows:
a. Protects both physical and virtual CII systems
Currently, the Cybersecurity Act only protects physical CII systems. Going forward, it would extend to virtual CII systems, which includes cloud computing systems.
b. Enhanced regulation for responsibility for essential service providers using CIIs owned by third parties
The amendments will ensure that essential service providers are responsible for such third party-owned CII to meet the necessary cybersecurity standards and requirements.
c. Extends to CIIs that are wholly located overseas
Currently, the Cybersecurity Act only covers CII if it is located wholly or partly in Singapore. Going forward, it will also extend to CIIs located wholly outside of Singapore.
d. Expansion of list of cybersecurity incidents that require reporting
Currently, a CII owner is only required to report cybersecurity incidents relating to the CII, or computers or computer systems that are interconnected with or communicate with the CII. The amendment will require CII owners to report additional incidents that affect: (i) other computers under the owner’s control, and (ii) computers under the control of a supplier that are interconnected with or communicate with the CII.
3. How do the amendments affect STCCs?
STCCs are computer systems that are located wholly or partly in Singapore and are critical to Singapore for a limited period that are at high risk of cybersecurity attacks and that the loss or compromise of such systems would have a detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
The amendments affecting STCCs are as follows:
a. Regulation of STCCs
The amendments would allow the relevant regulator (the Cyber Security Agency of Singapore) to regulate STCCs and the cybersecurity of STCCs. This includes giving the Cyber Security Agency of Singapore the power to issue written directions to STCCs and power to grant and withdraw the designation of STCCs.
b. Duty to report cybersecurity incidents
STCCs have a duty to report certain prescribed cybersecurity incidents to the Cyber Security Agency of Singapore.
c. Requirement to establish mechanisms and processes
The owners of STCCs are required to establish mechanisms and processes for detecting cybersecurity threats and incidents.
4. How do the amendments affect ESCIs?
ESCIs are entities that store sensitive information in a computer system under the entity’s control or entities that use a computer system under their control to perform a function that if disrupted, will have significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore.
The amendments affecting ESCIs are as follows:
a. Regulation of ESCIs
The amendments would allow the Cyber Security Agency of Singapore to regulate ESCIs. This includes giving the Cyber Security Agency of Singapore the power to issue written directions to ESCIs and power to grant and withdraw the designation of ESCIs.
b. Duty to report cybersecurity incidents
ESCIs have a duty to report certain prescribed cybersecurity incidents to the Cyber Security Agency of Singapore where the incident results in a breach in the availability, confidentiality or integrity of the entity’s data or has significant impact on the business operations of the entity.
c. Requirement to establish mechanisms and processes
ESCIs are required to establish mechanisms and processes for detecting cybersecurity threats and incidents in respect of the system of special cybersecurity interest, as set out in any applicable code of practice.
5. How do the amendments affect FDIs?
FDIs are computer systems that are necessary for the continuous delivery of a foundational digital infrastructure service provided from within or outside Singapore (wholly or partially) to persons in Singapore and the loss or impairment of the provision of such services is likely to lead to or cause disruption or deterioration of the operation of a large number of businesses or organisations in Singapore which rely on such FDIs. Examples of FDIs would include cloud service providers and data centre operators.
The amendments affecting FDIs are as follows:
a. Regulation of FDIs
The amendments would allow the Cyber Security Agency of Singapore to regulate FDI service providers. This includes giving the Cyber Security Agency of Singapore the power to issue written directions to FDI service providers and power to grant and withdraw the designation of FDI service providers.
b. Duty to report cybersecurity incidents
FDI service providers have a duty to report certain prescribed cybersecurity incidents to the Cyber Security Agency of Singapore, including incidents that results in a disruption or degradation to the continuous delivery of the FDI in Singapore for which the provider is designated and where the incident has a significant impact on the FDI service provider’s business operations in Singapore.
c. Requirement to establish mechanisms and processes
FDI service providers are required to establish mechanisms and processes for detecting cybersecurity threats and incidents in respect of FDIs, as set out in any applicable code of practice.
6. Comment
As digital technology is an integral part of the growth of businesses and our daily lives, there is no doubt that cybersecurity threats continue to increase not only in Singapore but globally. As Singapore continues to progress as a digitally safe and technologically savvy nation, the Cybersecurity (Amendment) Bill gives Singapore a significant advantage by not only strengthening our existing cybersecurity landscape but also by increasing users’ trust in using online services in Singapore.
Going forward, CIIs, STCCs, ESCIs and FDIs should review their processes and policies to ensure that they are legally compliant with the Cybersecurity Act once the amendments under the Cybersecurity (Amendment) Bill are in force.