On 15 December 2023, the Cyber Security Agency of Singapore (CSA) released the draft Cybersecurity (Amendment) Bill (Draft Bill), which seeks to amend the Cyber Security Act 2018 (CS Act), for public consultation. The public consultation concluded on 15 January 2024.
The consultation paper and the Draft Bill can be accessed here.
The proposed changes are significant and will have implications for the cybersecurity landscape in Singapore which we consider below.
The amendments in the Bill seek to ensure that Singapore’s cybersecurity laws are aligned with their purpose of protecting Singapore against cybersecurity threats and adverse disruptions.
The Proposed Changes
Broadly, the Draft Bill proposes to make two key changes:
- strengthening the regulatory approach to critical information infrastructure (CII); and
- extending the regulatory scope of the CS Act to include other entities beyond CII owners.
Strengthening the Regulatory Approach to CII
At present, Part 3 of the CS Act primarily imposes obligations on CII owners. This regulatory approach reflects the fact that, at the time the CS Act was enacted, providers of essential services tended to own and operate the CII necessary for the delivery of such essential services.
However, since the enactment of the CS Act, there has been a shift towards virtualisation or use of outsourced vendors (Computing Vendors) to provide specific computing needs. Recognising that the use of such Computing Vendors should be facilitated if it could improve the delivery of essential services, the CSA is proposing to introduce a new Part 3A to the CS Act, to facilitate the use of Computing Vendors by providers of essential services.
Under the new proposed Part 3A of the CS Act, providers of essential services will be permitted to use Computing Vendors in the delivery of an essential service. However, responsibility for the cybersecurity of the essential service will remain with its providers. The Commissioner of Cybersecurity (Commissioner) will be able to impose various duties on providers of essential services that are designed to result in the same cybersecurity outcomes as Part 3 of the CS Act (which applies to CII owners).
To ensure that providers of essential services can discharge their duties under the CS Act, they will be required to obtain legally binding commitments from their Computing Vendor. If they are not able to obtain such commitments, the Commissioner may order the provider of essential service to cease the use of the non-provider owned CII.
Extending the Regulatory Scope of the CS Act beyond CII
The other significant change to the CS Act relates to the extension of the regulatory scope of the CS Act beyond that of CII owners and providers of essential services.
This is a recognition of the fact that due to increased digitisation, there are other components in Singapore’s cybersecurity landscape apart from essential services where disruptions caused by cybersecurity incidents could significantly impact or degrade life in Singapore.
Therefore, the CSA is proposing to expand the CS Act, with Parts 3B, 3C and 3D, to regulate the following classes of entities:
- major providers of foundational digital infrastructure (FDI). These relate to important digital infrastructure not falling within the CII designations which could lead to major disruptions and impact if compromised, for example, data centre operators or cloud service providers;
- entities of special cybersecurity interest (ESCI). These are entities in possession of sensitive data that could have an adverse effect on Singapore’s interests if compromised, for example, entities collaborating with the Government; and
- owners of systems of temporary cybersecurity concern (STCC). These are systems that are of temporary significance, for example, the national vaccination systems.
As providers of essential services and CII owners, once designated, these entities will be subject to certain duties under the CS Act. The duties imposed on these entities include the duty to provide information to the Commissioner, the duty to comply with codes of practices, standards of performance or written directions issued by the Commissioner and the duty to notify the Commissioner of prescribed cybersecurity incidents.
The proposed enhanced powers of the CSA will have the following implications for the cybersecurity landscape:
- Increased Regulatory Oversight: the new designations, namely, FDI, ESCI and STCC entities, increase the scope of the CSA to provide regulatory oversight of the cybersecurity approach of these entities.
- Stricter Cybersecurity Standards: more stringent cybersecurity requirements will apply across the wider range of regulated entities, with penalties for non-compliance to be set out in subsidiary legislation.
- Enhanced Incident Reporting Regime: reporting obligations for cyber security incidents will be expanded beyond those CII systems under the direct control of owners or service providers.
- Increased Supply Chain Scrutiny: the expansion of regulatory oversight is likely to lead to further scrutiny over cybersecurity supply chains, with the effect of more stringent requirements being imposed downstream by such entities regulated by the CSA.
We would like to thank our practice trainee, Charles How, for his assistance with the preparation of this update.
 Such duties include providing information on non-provider owned CIIs, complying with codes of practice, standards of performance, conduct regular audits, notify the Commissioner of changes of ownership of non-provider-owned CII and of the occurrence of prescribed cybersecurity incidents etc.