CSA consults on licensing framework for cybersecurity service providers under Cybersecurity Act: Proposed licence conditions and regulations

5 October 2021

From 20 September 2021 to 18 October 2021, the Cyber Security Agency of Singapore (“CSA”) is seeking industry feedback on the proposed licence conditions and draft subsidiary legislation under the licensing framework for cybersecurity service providers (“CSPs”) found in Part 5 of the Cybersecurity Act 2018 (“Act”). While most of the provisions of the Act came into force on 31 August 2018, the operational date for the licensing framework under Part 5 of the Act was deferred to allow for further study and consultation to enhance its practicability for CSPs.

The licensing framework is expected to be implemented by early 2022.

Scope of licensing framework under Part 5

As set out in the Industry Consultation Paper on the Licensing Framework for Cybersecurity Service Providers (“Consultation Paper”) issued by CSA, the following is a brief recap of the scope of the licensing framework under Part 5 of the Act:

• Main licensing requirements: The two main requirements that CSPs must comply with under Part 5 of the Act are to (i) ensure that their key officers (i.e. any director or partner of the business entity or other person who is responsible for the management of the business entity) are fit and proper, and (ii) keep basic records on the cybersecurity services provided for a duration of at least three years.
• Types of CSPs covered: Only penetration testing service and managed security operations centre (“SOC”) monitoring service are prescribed as licensable cybersecurity services under the Act.

All CSPs that provide either or both of these licensable cybersecurity services to the Singapore market, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) who are directly engaged for such services, or third-party CSPs that provide these services in support of other CSPs, will need to be licensed. Resellers, or overseas CSPs who provide licensable cybersecurity services to the Singapore market would likewise need to be licensed.

For further information, please refer to our article titled “Cybersecurity Act 2018 operative from 31 August 2018 to protect critical information infrastructure against cybersecurity threats”.

Key licence conditions proposed

Set out below is a summary of the key proposed licence conditions, applicable to both the penetration testing service licence and the managed SOC monitoring service licence, as highlighted in the Consultation Paper:

• Licence period: To strike a balance between security concerns and the minimising of administrative burden to CSPs, the licence period for both licences will be set at two years, and this is applicable to both new and renewed licences. The licence period may be adjusted in future, subject to CSA’s assessment on the CSPs’ level of compliance with the regulatory requirements. 
• Professional conduct of licensees: To provide a baseline level of protection for consumers of cybersecurity services, and to uphold the CSPs’ professionalism, licensees will be required to comply with certain requirements on professional conduct. These requirements include maintaining confidentiality about their clients’ information, not making any false representation in advertising their services or in the provision of their services, exercising due care and skill, and acting with honesty and integrity. 
• Provision of information: Licensed CSPs are to provide information concerning or relating to their cybersecurity service upon request, and within the timeframes specified by the licensing officer. This information is meant to assist CSA in its investigation into (i) any matter relating to or arising from the licensee’s application for grant or renewal of its licence, (ii) any breach or potential breach by the licensee of the Act or any licence conditions imposed on the licensee, or (iii) any matter relating to the licensee’s continued eligibility to be a holder of the licence.
• Notification on changes to information: To ensure that the licensees’ key officers are fit and proper, licensees are to notify the licensing officer at least 30 days before the appointment of new key officer(s). A licensee is also required to notify the licensing officer of any change or inaccuracy in the information and particulars that the licensee and/or its key officers have submitted to the licensing officer in relation to its licence within 14 days.

A full set of the proposed licence conditions is set out at Annex A of the Consultation Paper.

Key regulations in the draft Cybersecurity (Cybersecurity Service Providers) Regulations 2021

Set out below is a summary of the key proposed regulations in the draft Cybersecurity (Cybersecurity Service Providers) Regulations 2021, as highlighted in the Consultation Paper:

• Application for grant or renewal of licence: All applications for the grant or renewal of licence must include information which is necessary for the licensing officer to make a thorough assessment of the application. Such information includes the applicant’s name, identifiable information (e.g. identify card number for individuals, or the Singapore unique entity number for business entities) and contact details, relevant qualification or experience (for individuals, or key officers for applicants which are business entities), and also information relevant for the licensing officer to consider if the applicant is fit and proper (for applicants which are business entities, such information would also be required for every key officer). 
• Licence fees: The licence is valid for two years and is renewable once every two years. The upfront two-year licence fees payable for both new and renewed licences will be S$1,000 for business entities, and S$500 for individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals). No application fees will be imposed on CSPs for the grant or renewal of licences. Due to the Covid-19 pandemic which has negatively impacted many businesses, 50% of the abovementioned fees will be waived for all applications lodged within the first 12 months from the commencement of the licensing framework. Existing CSPs who are already in operations before the commencement of the licensing framework will be given six months from the commencement of the licensing framework to apply for a licence.
• Keeping records: Licensees are required to keep a record of the following information in relation to each occasion on which the licensee is engaged to provide its cybersecurity service:
  • Name and address of the person engaging the licensee for the service;
  • Name and individually identifiable information of the person providing the service on behalf of the licensee;
  • Date on which the service is provided; and
  • Details of the type of service provided.

• Appeals: An appeal against any of the decisions made by the licensing officer in relation to the refusal of an application for the grant or renewal of a licence, addition or modification of conditions during the grant or renewal of a licence, revocation or suspension of a licence, or an order for the payment of a financial penalty, is to be made via the form set out at www.mci.gov.sg, accompanied by all the relevant documents mentioned in, or relied on in support of the appeal. The appeal should also specify the name and particulars of the person bringing the appeal, identify the decision or order appealed against, and state the reasons for the appeal, among other details and/or requirements.

The draft Cybersecurity (Cybersecurity Service Providers) Regulations 2021 are set out in full at Annex B of the Consultation Paper.

Reference materials

The following materials are available on the CSA website www.csa.gov.sg:

• Press release
• Industry Consultation Paper on the Licensing Framework for Cybersecurity Service Providers