28 March 2018
The Cybersecurity Act 2018 (“Act”) has been gazetted on 12 March 2018, but it is not in force yet. The Act will take effect on a date to be appointed.
The Act seeks to establish a framework for the protection of critical information infrastructure (“CII”) against cybersecurity threats, the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore, and the regulation of providers of licensable cybersecurity services.
The Chief Executive of the Cyber Security Agency of Singapore (“CSA”) will administer the Act as the Commissioner of Cybersecurity (“Commissioner”) to be appointed by the Minister-in-charge of Cybersecurity (“Minister”). The Act will empower the Commissioner to designate as CII, computers and computer systems, if the Commissioner is satisfied that:
- the computer or computer system is necessary for the continuous delivery of essential services in Singapore;
- the loss or compromise of such computer or computer system will have a debilitating effect on the availability of the essential service (referred to in paragraph 1 above) in Singapore; and
- the computer or computer system is located wholly or partly in Singapore.
Organisations that legally own computers or computer systems that are designated as CII (“CII Owners”) will be notified in writing. CII Owners will be given an opportunity to submit representations to the Commissioner if they disagree with the Commissioner’s decision. They may also appeal to the Minister against the designation, whose decision will be final. In this regard, a CII Owner may request the Commissioner to issue the notice designating a computer or computer system as a CII to another person by showing proof that, generally:
- they are unable to comply with the requirements in Part 3 of the Act because they do not have effective control over or the ability to carry out changes to the computer or computer system; and
- another person has such effective control over or ability to carry out changes to the computer or computer system (“Controller”).
If the Commissioner accepts that the above conditions have been met, the Commissioner may amend the notice and issue the amended notice to the Controller, who will then (instead of the CII Owner) be subject to the statutory duties under Part 3 of the Act for the period the notice is in effect.
Part 3 of the Act imposes various statutory duties on CII Owners or Controllers (as the case may be). These statutory duties include a notification obligation in respect of any change in ownership of the CII and obligations to conduct audits and cybersecurity risk assessments. In addition, the CII Owner or Controller is required to report to the CSA any cybersecurity incident which occurs on or affects their CII and, for this purpose, is required to establish such mechanisms and procedures as set out in any applicable code of practice.
Generally, non-compliance with any of the statutory duties without reasonable excuse will constitute a criminal offence punishable with a fine and/or imprisonment.
The Commissioner has powers to investigate and respond to cybersecurity threats or incidents and/or authorise incident response officers to exercise such powers. The Minister is also empowered to take certain emergency cybersecurity measures if the Minister is satisfied they are necessary for the purposes of preventing, detecting or countering any serious and imminent threat to the provision of any essential service or the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
The Act also prescribes two licensable cybersecurity services, namely, managed security operations centre (SOC) monitoring service and penetration testing service.
The Cybersecurity Bill (“Bill”) was passed in Parliament on 5 February 2018. The Bill was introduced in Parliament on 8 January 2018 following a six-week joint public consultation exercise on the proposed Bill in July and August 2017 by the Ministry of Communications and Information (“MCI”) and CSA. On 13 November 2017, MCI and CSA released a full report setting out their response to the feedback received.