27 September 2018

With effect from 31 August 2018, most sections of the Cybersecurity Act 2018 (“Act”) have come into force. The Act establishes a framework for the protection of critical information infrastructure (“CII”) against cybersecurity threats, the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore, and the regulation of providers of licensable cybersecurity services. The provisions which are not yet in force relate to the licensing framework for cybersecurity service providers.

The following subsidiary legislation has been issued under the Act and also took effect on 31 August 2018:

  • Cybersecurity (Critical Information Infrastructure) Regulations 2018
  • Cybersecurity (Confidential Treatment of Information) Regulations 2018

The key features of the Act are as follows:

  • The Chief Executive of the Cybersecurity Agency of Singapore (“CSA”) will administer the Act as the Commissioner of Cybersecurity (“Commissioner”) to be appointed by the Minister-in-charge of Cybersecurity.
  • The Commissioner may designate a computer or computer system as a CII if he is satisfied the computer or computer system is located wholly or partly in Singapore, and necessary for the continuous delivery of an essential service and its loss or compromise will have a debilitating effect on the availability of the essential service in Singapore.
  • Prior to designating a computer or computer system as a CII, the Commissioner will first consult its owner and the relevant sector regulator to identify whether the computer or computer system is responsible for the provision of any of the essential services. The Cybersecurity (Critical Information Infrastructure) Regulations 2018 set out the information which the Commissioner may ask for to ascertain whether the computer or computer system fulfils the criteria of a CII.
  • An essential service means any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule to the Act.
  • An “owner”, in relation to a CII, means the legal owner of the CII and, where the CII is jointly owned by more than one person, includes every joint owner.
  • The Commissioner may designate a computer or computer system as a CII via written notice to the owner of the computer or computer system. However, the person who receives such notice of designation may request the Commissioner to amend the notice and address it to another person who has effective control over the CII.
  • CII owners have various statutory duties which include notifying change in ownership, conducting audits and cybersecurity risk assessment. 
  • Generally, non-compliance with the statutory duties without reasonable excuse is a criminal offence which attracts a fine and/or imprisonment.
  • The Commissioner determines the appropriate response to cybersecurity threats and incidents based on the level of severity. 
  • Only managed security operations centre monitoring service and penetration testing service are prescribed as licensable cybersecurity services. The provisions relating to the licensing framework for cybersecurity service providers are not in force yet.

Reference materials

The following materials are available on the Singapore Statutes Online website sso.agc.gov.sg:

 

Download PDF