Directors Lim Chong Kin and Anastasia Su-Anne Chen featured in ALB article discussing the expanded scope of the recently amended Cybersecurity Act in Singapore

09 Jul 2024

Head of Telecommunications, Media & Technology Practice Group Lim Chong Kin and Director Anastasia Su-Anne Chen are featured in the Asian Legal Business article titled, “Singapore ramps up national cybersecurity with expanded protection laws”, providing their perspectives on Singapore's recently expanded Cybersecurity Act (the “Act”).

The expanded scope of the Act will cover not just owners of critical information infrastructure (“CII”), but also providers of essential services that rely on third-party-owned CII. The amended Act will empower the Cyber Security Agency (“CSA”) to regulate a CII that is wholly located outside Singapore, if its owner is in Singapore. Chong Kin and Anastasia said, “[t]his may include a multinational company that provides essential services in Singapore by relying on its computer systems overseas or on system infrastructure owned by a third-party vendor or affiliate.” In ensuring compliance, these companies should “review their internal processes, keeping in mind the notification and risk assessment obligations…”

They further added that "[i]f multinational companies are designated as providers of essential services... they should obtain legally binding commitments from the third party who owns the CII to adhere to prescribed standards relating to cybersecurity." Elaborating on this, for instance, a designated provider of essential services, which relies on third-party-owned CII, “will be required to notify the Commissioner of any change in the beneficial or legal ownership of the third-party-owned CII, and any prescribed cybersecurity incident involving the third-party-owned CII,” and companies that are regulated as owners of CII “should be cognisant of the expanded incident reporting obligations under the amended Act…that affect other computers under the owner’s control, and computers under the control of a supplier that are interconnected with or communicates with the CII.”

Chong Kin and Anastasia opined that for companies that may fall under the new categories of foundational digital infrastructure (“FDI”) service providers or entities of special cybersecurity interest (“ESCI”), they are subject to “a light-touch regime”.

A key compliance requirement that companies can expect would be incident reporting. Both designated FDI service providers and ESCIs will need to notify the regulators of prescribed cybersecurity incidents “that have a significant impact on their business operations in Singapore”, and the “designated FDI service providers will have reporting obligations related to incidents that result in a disruption or degradation to the continuous delivery of its FDI services in Singapore.”

In addition to the amended Act, the planned introduction of the Digital Infrastructure Act (“DIA”) in Singapore is intended to regulate digital infrastructures that would have “a systemic impact in the event of disruptions”.

While the specific requirements under the planned introduction of the DIA have not yet been shared publicly, Chong Kin and Anastasia said that companies can expect obligations in the form of “incident reporting requirements and baseline resilience and security standards”. The Ministry of Communications and Information has indicated that the DIA will go beyond cybersecurity to address a broader set of resilience risks, ranging from misconfigurations in technical architecture, to physical hazards such as fires, water leaks, and cooling system failures.

In preparation, it is recommended that companies “conduct a risk assessment of their digital infrastructure, benchmark their resilience and security posture against international standards, and review their internal mechanisms to manage and escalate security incidents.”

You may read the full article on p. 11 of ALB June 2024 issue here.

Get in touch