A. What are the key changes in the proposed Bill?
- Expands the scope of the CA to cover situations where the provider does not own and control the critical information infrastructure (“CII”) used for the continuous delivery of the essential services they are responsible for (i.e., non-provider-owned CII) The provider of essential services will be required to obtain legally binding commitments from their computing vendors / the owners of the non-provider-owned CII.
- Widens oversight of the Commissioner of Cybersecurity (the “Commissioner”) beyond CII owners to also include major foundational digital infrastructure service providers, entities of special cybersecurity interest and owners of systems of temporary cybersecurity concern.
- Enhances regulatory powers of the Commissioner by, for example, expanding the types of incidents to be reported to the Commissioner and granting the Commissioner the power to authorise the conduct of on-site inspections.
B. Why are these changes being made?
As Singapore continues to digitalise, there is an increased risk of cyber attacks. Given the potentially pervasive knock-on impact that disruptions to the functioning of digital infrastructure can have on essential services, it is important to ensure that there are necessary safeguards put in place, so that Singaporeans and businesses can embrace digitalisation with confidence.
C. Whom does it affect? Does the service I am providing fall under the new provisions? What are my obligations?
We have set out 5 types of entities who are intended to be affected by the proposed amendments.
In general, all of the above entities below will be required to adhere to cybersecurity standards of practice, report cybersecurity incidents to CSA, and comply with directions issued by the Commission to ensure the cybersecurity of specific computer systems under their charge. For specific obligations for each type of entity, please see the Annex below.
| Entity |
What are my obligations? |
| If the computer/computer system you use is designated as CII |
(1) Non-provider-owned CII
Providers of essential service who do not own the CII they use, but use CII owned by a computing vendor, and the provider is designated by the Commissioner as a “provider of an essential service responsible for the cybersecurity of non-provider-owned critical information infrastructure” under section 18AA
|
- New obligations in Part 3A (see more in Scenario 1 in the Annex below)
|
(2) Provider-owned CII
Providers of essential services who own the CII they use, and the CII is designated by the Commissioner under section 7 as “provider-owned critical information infrastructure” |
- New incident reporting obligations under Part 3 (see more in Scenario 2 in the Annex below)
|
| If the computer/computer system you use is not designated as CII under section 7 or new section 18AA, it may still fall within one of the 3 categories below |
(3) Major FDI service providers (in particular cloud computing service providers and data centre facility service providers)
Providers of “foundational digital infrastructure services”[1], where the provider is designated as a “major FDI service provider”.
You may be designated as a major FDI service provider if the Commissioner is satisfied that you provide an FDI service to or from Singapore, and the loss or impairment of the provision of the FDI service will lead to or cause disruption to a large number of businesses or organisations that rely on or are enabled by the FDI service.
[1] “Foundational digital infrastructure services” are services that promote the availability, latency, throughput or security of digital services, and have been specified in the Third Schedule to the Act:
- Providing a cloud computing service, meaning a service, delivered from a computer or computer system in Singapore or outside Singapore, that enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; or
- Providing a data centre facility service, meaning any service which relies on a computer or computer system in Singapore to facilitate data storage, processing and transmission by another person through the centralised accommodation, interconnection and operation of one or more computers or computer systems, encompassed within a facility in Singapore dedicated to that purpose, which —
- includes a service to host that other person’s computers or computer systems within the facility; and
- excludes a service provided from a facility which is owned by the sole party using the service.
|
- New obligations under Part 3B (see more in Scenario 3 in the Annex below)
|
(4) Entities of special cybersecurity interest
An entity (body corporate, unincorporated association, partnership or a person other than an individual) designated as an “entity of special cybersecurity interest” (ESCI).
You may be designated as an ESCI if the Commissioner is satisfied that you store sensitive information, or if you use computers/computer systems to perform a function which, if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore. |
- New obligations under Part 3C (see more in Scenario 4 in the Annex below)
|
(5) Owners of systems of temporary cybersecurity concern
If you are the owner of a computer or computer system designated as a “system of temporary cybersecurity concern” (STCC).
Your computer or computer system (located wholly or partly in Singapore) may be designated as an STCC if the Commissioner is satisfied that the risk of a cyber-attack on the computer or computer system is high and the loss or compromise of the computer or compute system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
Examples of STCC would be systems set up specifically to support high-key international events in Singapore (e.g. the World Economic Forum), or systems set up to support the distribution of vaccines during the COVID-19 pandemic.
|
- New obligations under Part 3D (see more in Scenario 5, in the Annex below)
|
D. What are the penalties for non-compliance?
In the event of any non-compliance with the amended law, this may invite a fine of up to $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
As an example, such a penalty would be applicable where the provider of the essential service (who is not the owner of the CII) fails to obtain the required commitments from the owner of the non-provider-owned CII, and the provider of the essential service, without reasonable excuse, thereafter fails to comply with the Commissioner’s order to cease the use of the non-provider-owned CII.
The CSA is also contemplating financial penalties in lieu of fines/imprisonment in relation to major FDI service providers or persons designated as an entity of special cybersecurity interest. The financial penalties are presently under review and will be set out in a future version of the Bill. The CSA has indicated that the financial penalties will be (a) commensurate with the risks resulting from non-compliance and (b) an effective deterrent against non-compliance.
E. What are my next steps before the legislation comes into force?
For your reference, please click here to access Public Consultations Paper on the Cybersecurity Amendment Bill, and click here to access Draft Cybersecurity (Amendment) Bill 2023.
If you intend to provide any feedback in relation to the proposed amendments to the CA, such feedback must be submitted no later than 5pm (SGT) on 15 January 2024. |