Singapore introduces the Cybersecurity (Amendment) Bill to regulate new classes of persons and keep pace with evolving business models and cyber threats

05 Apr 2024

1. On 3 April 2024, the Cybersecurity (Amendment) Bill was introduced in Parliament, following a public consultation by the Cybersecurity Agency of Singapore (“CSA”) from 15 December 2023 to 15 January 2024 on the proposed amendments. In conjunction with this, the CSA has also released a closing note to the Cybersecurity (Amendment) Bill, reflecting its responses to the feedback received.

2. This is the first amendment to the Cybersecurity Act 2018 (“CA”) since its enactment in 2018.The CA sets out the legal framework for the oversight and maintenance of national cybersecurity in Singapore. In light of the adoption of new technological tools and business models, such as cloud computing, the amendments are timely to ensure that Singapore’s cybersecurity laws remain fit-for-purpose to address the emerging challenges in cyberspace.

3. The key points of the proposed Bill that may potentially affect you are as follows: 

A. What are the key changes in the proposed Bill?
  • Expands the scope of the CA to regulate 4 new classes of persons:
    • (1) Designated providers of essential services who do not own the critical information infrastructure (“CII”) used for the continuous delivery of the essential services they are responsible for (i.e., third-party-owned CII). The provider of essential services will be required to obtain legally binding commitments from the third-party to provide the necessary information or adhere to prescribed standards relating to cybersecurity, etc. so that they can discharge their duties under the CA. If they do not obtain the legally binding commitments, they may be ordered by the Commissioner to cease using the third-party-owned CII;
    • (2) Owners of systems of temporary cybersecurity concern (where these systems are at higher risk of cyber-attacks due to temporary events or situations (e.g., pandemic vaccine distribution);
    • (3) Entities of special cybersecurity interest – subject to a “light-touch regulatory treatment”; and
    • (4) Providers of major foundational digital infrastructure services – also subject to a “light-touch regulatory treatment”. 
  • Enhances regulatory powers of the Commissioner by, for example, expanding the types of incidents to be reported to the Commissioner and granting the Commissioner the power to authorise the conduct of on-site inspections. 
B. Why are these changes being made? 
As Singapore continues to digitalise, there is an increased risk of cyber-attacks. Given the potentially pervasive knock-on impact that disruptions to the functioning of digital infrastructure can have on essential services, it is important to ensure that there are necessary safeguards – beyond the current safeguards for CII covered by the CA – put in place, so that Singaporeans and businesses can embrace digitalisation with confidence.
 
C. Does the service I am providing fall under the new provisions? What are my obligations? 
We have set out 5 types of entities who will be affected by the proposed amendments.
 
In general, all of the entities below will be required to adhere to codes of practice, standards of performance and prescribed technical or other standards relating to cybersecurity, report cybersecurity incidents to CSA, and comply with directions or notices issued by the Commissioner to ensure the cybersecurity of specific computer systems under their charge. For the specific obligations for each type of entity, please see the Annex below.
 
Entity What are my obligations
If the computer/computer system you use is designated as CII
(1) Third-party-owned CII
 
Providers of essential services who do not own the CII they use, but use CII owned by a computing vendor/third-party, and the provider is designated by the Commissioner as a “provider of an essential service responsible for the cybersecurity of third-party-owned critical information infrastructure” under section 16A.
 
[Note on virtualised CII system: CSA has introduced additional provisions to clarify that the owner of a virtual CII system would be one who has the necessary control over the said CII system, and not the cloud service provider.]
New obligations in Part 3A (see more in Scenario 1 in the Annex below)
 
(2) Provider-owned CII
 
Providers of essential services who own the CII they use, and the CII is designated by the Commissioner under section 7 as “provider-owned critical information infrastructure”.
New incident reporting obligations under Part 3 (see more in Scenario 2 in the Annex below)
If the computer/computer system you use is not designated as CII under section 7 or new section 16A, it may still fall within one of the 3 categories below
(3) Owners of systems of temporary cybersecurity concern
 
An owner of a computer or computer system designated as a “system of temporary cybersecurity concern” (STCC).
 
Your computer or computer system (located wholly or partly in Singapore) may be designated as an STCC if the Commissioner is satisfied that the risk of a cyber-attack on the computer or computer system is high and the loss or compromise of the computer or compute system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
 
Examples of STCC would be systems set up specifically to support high-key international events in Singapore (e.g., the World Economic Forum), or systems set up to support the distribution of vaccines during the COVID-19 pandemic.
New obligations under Part 3B (see more in Scenario 3, in the Annex below)
(4) Entities of special cybersecurity interest
 
An entity designated as an “entity of special cybersecurity interest” (ESCI).
 
You may be designated as an ESCI if the Commissioner is satisfied that you store sensitive information in a computer/computer system under your control, or if you use a computer/computer system under your control to perform a function which, if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore.
 
The CSA has indicated that the list of designated ESCI will not be released for security reasons, but an example of an ESCI could include autonomous universities.
New obligations under Part 3C (see more in Scenario 4 in the Annex below)
(5) Major FDI service providers (in particular cloud computing service providers and data centre facility service providers)
 
Providers of “foundational digital infrastructure services”[1], where the provider is designated as a “major FDI service provider”.
 
You may be designated as a major FDI service provider if the Commissioner is satisfied that you provide an FDI service to or from Singapore, and the loss or impairment of the provision of the FDI service is likely to lead to or cause disruption or deterioration of the operation of a large number of businesses or organisations that rely on or are enabled by the FDI service.
 
[1] “Foundational digital infrastructure services” are services that promote the availability, latency, throughput or security of digital services, and have been specified in the Third Schedule to the Act:
  1. Providing a cloud computing service, meaning a service, delivered from a computer or computer system in Singapore or outside Singapore, that enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; or 
 
  1. Providing a data centre facility service, meaning any service which relies on a computer or computer system in Singapore to facilitate data storage, processing and transmission by another person through the centralised accommodation, interconnection and operation of one or more computers or computer systems, encompassed within a facility in Singapore dedicated to that purpose, which —
    1. includes a service to host the computers or computer systems within the facility; and
    2. excludes a service provided from a facility which is owned by the sole party using the service.
New obligations under Part 3D (see more in Scenario 5 in the Annex below)

D. What are the penalties for non-compliance? 
In the event of any non-compliance with the amended law, this may generally invite a fine of up to $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
 
As an example, such a penalty would be applicable where the provider of the essential service (who is not the owner of the CII) fails to obtain the required commitments from the owner of the third-party-owned CII, and the provider of the essential service, without reasonable excuse, thereafter fails to comply with the Commissioner’s order to cease the use of the third-party-owned CII.
 
For offences relating to ESCI and providers of major FDI services, the penalties are higher, with a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
 
The Bill also introduces a new civil penalty regime, where for the contravention of any provision in Part 3, 3A, 3B, 3C or 3D that is punishable as an offence, the Commissioner may, with the consent of the Public Prosecutor, bring an action in a court against the person to seek an order for a civil penalty in lieu of prosecution. The civil penalty can be up to 10% of the annual turnover of the person’s business in Singapore, or $500,000, whichever is higher.
 
E. What are my next steps before the legislation comes into force? 
For your reference, please click here to access CSA’s press release and response to public feedback on the consultation, and click here to access the Cybersecurity (Amendment) Bill that was introduced on 3 April 2024. The closing note to the public consultation on the Cybersecurity (Amendment) Bill can be accessed here.

4. We will continue to closely monitor developments in this area, and will update you if there are any developments at the Second Reading of the Bill next month.

5. Please do not hesitate to contact any members of our Data Protection, Privacy and Cybersecurity Practice if you require more information about the proposed amendments and how they may impact your business operations.

ANNEX
 
Scenario 1: If you are a designated provider of essential services who does not own the CII you use, but use CII owned by a third party (i.e. “third-party-owned CII”)
  • If you are a designated provider of essential services that use CII from a computing vendor/third-party and do not own the CII yourself, new Part 3A of the Act imposes duties on you, such as to:
    • (a) Provide the Commissioner with information on the third-party-owned CII (new section 16E);
    • (b) Comply with any codes of practice, standards of performance or written directions in relation to providers responsible for the third-party-owned CII that may be issued by the Commissioner (new sections 16G and 35A);
    • (c) Notify the Commissioner of any change in the beneficial or legal ownership of the third-party-owned CII (new section 16H);
    • (d) Notify the Commissioner of any prescribed cybersecurity incident involving the third-party-owned CII (new section 16I);
    • (e) Cause regular audits of the adherence of the third-party-owned CII with the Act and any prescribed technical or other standards relating to cybersecurity to be carried out by an auditor approved by the Commissioner (new section 16J);
    • (f) Cause regular cybersecurity risk assessments of the third-party-owned CII to be carried out (new section 16J); and
    • (g) Participate in cybersecurity exercises to test your readiness in responding to significant cybersecurity incidents as required by the Commissioner (new section 16L).
  • You (as a designated provider of the essential service) must obtain legally binding commitments from the computing vendor/third-party to ensure that you are able to discharge your duties under the Act. For more details, see new sections 16E, 16F, 16H, 16I and 16J. 
Scenario 2: If you are a provider of essential services and own the CII you use (i.e. provider-owned CII)
  • Existing section 12 of the Act is amended to allow the Commissioner to give written directions to you to comply with any prescribed technical or other standards relating to cybersecurity in respect of the provider-owned CII.
  • Existing section 14 of the Act is amended to expand the types of incidents to be reported to the Commissioner, so that it also includes:
    • (a) prescribed cybersecurity incidents in respect of any other computer or computer system under the owner’s control that does not fall within section 14(1)(b) of the Act [note: section 14(1)(b) covers a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the CII]
    • (b) prescribed cybersecurity incidents in respect of any computers or computer systems under the control of a supplier to the owner that is interconnected with or communicates with the provider-owned CII.
  • Section 7 of the Act has also been amended to ensure that providers of essential services located in Singapore cannot avoid their duties under Part 3 of the Act by offshoring their CII. Therefore, please note that there is a potential for any computer or computer system that you own that is located wholly outside Singapore to also be designated as a provider-owned CII for the purposes of the Act. 
Scenario 3: If the computer/computer system you own is designated as a system of temporary cybersecurity concern (STCC)
  • If your computer/computer system is designated as an STCC, new Part 3B of the Act imposes duties on you, such as to:
    • (a) Provide the Commissioner with information on the STCC (new section 17D);
    • (b) Comply with any codes of practice, standards of performance or written directions in relation to the STCC that may be issued by the Commissioner (new sections 17E and 35A);
    • (c) Notify the Commissioner of any prescribed cybersecurity incidents [operational details to be released later] (new section 17F), such as:
      • Prescribed cybersecurity incidents in respect of the STCC;
      • Prescribed cybersecurity incidents in respect of any computer or computer system under the owner’s control, that is interconnected with or that communicates with the STCC;
      • Prescribed cybersecurity incidents in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the STCC. 
Scenario 4: If you are designated as an entity of special cybersecurity interest (ESCI)
  • If you are designated as an ESCI, new Part 3C of the Act imposes duties on you, such as to:
    • (a) Provide the Commissioner with information on the system of special cybersecurity interest (new section 18D);
    • (b) Comply with any codes of practice, standards of performance or written directions in relation to the system of special cybersecurity interest that may be issued by the Commissioner (new sections 18E and 35A);
    • (c) Notify the Commissioner of any prescribed cybersecurity incident [operational details to be released later] (new section 18F), where:
      • The incident results in a breach of the availability, confidentiality or integrity of the ESCI’s data; or
      • The incident has a significant impact on the business operations of the ESCI. 
Scenario 5: If you are designated as a major FDI service provider
  • If you are designated as a major FDI service provider, new Part 3D of the Act imposes duties on you, such as to:
    • (a) Provide the Commissioner with information related to the cybersecurity of the major FDI (new section 18K);
    • (b) Comply with any codes of practice, standards of performance or written directions in relation to the major FDI that may be issued or approved by the Commissioner (new sections 18L and 35A);
    • (c) Notify the Commissioner of any prescribed cybersecurity incident [operational details to be released later] (new section 18M), where:
      • The incident results in a disruption or degradation to the continuous delivery of the FDI service it provides in Singapore; or
      • The incident has a significant impact on the major FDI provider’s business operations in Singapore.

Get in touch