Legal Bulletin July 2017

Home : Publications:Legal Bulletin July 2017


Published date: 28 Jul 2017

MCI and CSA consult on proposed Cybersecurity Bill

Between 10 July 2017 and 24 August 2017, the Ministry of Communications and Information (“MCI”) and the Cyber Security Agency of Singapore (“CSA”) are jointly conducting a public consultation on the proposed Cybersecurity Bill (“Bill”). Initially scheduled for 3 August 2017, the deadline for submission of feedback was extended to 24 August 2017.
 
The Bill will establish a framework for the oversight and maintenance of national cybersecurity in Singapore, and will empower CSA officers to carry out their functions. One key proposal relates to the designation of a computer or computer system as a Critical Information Infrastructure (“CII”) for the purposes of the Bill.
 
Set out below is a summary of the key features of the proposed cybersecurity legislation:
 
·         Powers to be vested in Commissioner of Cybersecurity: The powers of the Bill shall be vested in a Commissioner of Cybersecurity (“Commissioner”), to be appointed by the Minister-in-charge of Cybersecurity (“Minister”). The position will be held by the Chief Executive of CSA. The Minister may appoint a Deputy Commissioner, as well as a number of Assistant Commissioners who will oversee and enforce the protection requirements for CIIs.
 
·         Commissioner to designate CII: The Commissioner may, by written notice to the CII owners, designate a computer or computer system, located wholly or partly in Singapore, as a CII for a period of five years. The designation of a computer or computer system as a CII is an official secret under the Official Secrets Act, and shall not be divulged to the public. CII owners may, within 30 days of official designation, appeal against the designation to the Minister, whose decision shall be final.
 
·         CII is a computer or computer system necessary for the continuous delivery of essential services (includes banking and finance services): The Bill defines a CII as a computer or computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. The list of essential services is set out in a Schedule to the Bill and includes services relating to energy, info-communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, media and the Government. New essential services may be added from time to time by the Minister.
 
·         CII owners responsible for ensuring the cybersecurity of CIIs they own: CIIs may be owned by either the public or private sector. Such owners shall be subject to certain statutory duties under the Bill.
 
·         CII owners must notify change in ownership: A CII owner must inform the Commissioner of any intended change in ownership of the CII no later than 90 days before the date of the intended change in ownership.
 
·         Powers to conduct investigations effectively on the ground: The Bill sets out three proposed scenarios for the exercise of powers to investigate cybersecurity threats and incidents:
 
-    All cybersecurity threats and incidents: If the Commissioner has information regarding a cybersecurity threat or incident, the Commissioner may examine anyone relevant to the investigation and take statements, and require the provision of relevant information.
 
-    Serious cybersecurity threats and incidents: If necessary, the Commissioner may take more intrusive measures such as directing persons to carry out remedial measures and assist in the investigation, entering premises where relevant computers and computer systems are located, accessing such computers, scanning computers for cybersecurity vulnerabilities and seizing any computer or equipment for the purpose of carrying out further examination and analysis.
 
-    Emergency measures and requirements: The Minister may (by issuing a certificate) authorise any person or organisation to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service, or any class of computers or computer services.
 
·         Criminal offence attracting fine and/or imprisonment: According to the Public Consultation Paper on the Draft Cybersecurity Bill (“consultation paper”), a CII owner who fails to perform their statutory duties wilfully, or fails to comply with the Commissioner’s directions without reasonable excuse, shall be guilty of a criminal offence and shall be liable on conviction to a fine and/or imprisonment. The consultation paper also states that the wilful non-compliance of instructions or wilful refusal to provide information during an investigation will also be a criminal offence with a penalty of a fine and/or imprisonment.
 
·         Light-touch licensing regime for cybersecurity service providers: MCI / CSA are proposing to introduce a light-touch licensing regime for cybersecurity service providers that service the Singapore market, and to also improve the standing of cybersecurity professionals. As this is a technical and evolving area, the list of licensable cybersecurity service providers will be set out in a Schedule to the Bill that the Minister may amend, instead of directly specifying them within primary legislation. There are two types of licences: (i) investigative cybersecurity service and (ii) non-investigative cybersecurity service.
 
·         Licensed service providers must meet certain basic requirements: Licensed service providers (both investigative and non-investigative) will need to meet certain basic requirements. For example, key executive officers must be fit and proper persons. The criteria for considering whether a person is fit and proper includes, but is not limited to, honesty, integrity and financial soundness. Licensed individuals (under an investigative cybersecurity service licence) will need to be fit and proper persons, and comply with a Code of Ethics.
 
·         Other considerations under the proposed licensing framework: The intent is to keep licensing requirements and registration procedures as simple as possible. The same licensing requirements will apply to overseas providers to ensure there is as much as possible a level playing field between local and overseas service providers. The licensing framework will not take immediate effect, and CSA will consult the industry further on detailed requirements before the framework is operationalised.
 
Reference materials
 
The following materials are available from the MCI website www.mci.gov.sg:
 
·         Press release
 
 
 
·         Draft Cybersecurity Bill
 
 
For further information, please contact:
 
+65 6890 7883
 
+65 6890 7710
 
+65 6890 7852
 
+65 6890 7518
 
+65 6890 7526
 
+65 6890 7627
 

<Back to Legal Bulletin July 2017

Find a Publication

For more information on Singapore law, please go to: www.singaporelaw.sg