Singapore’s First Cybersecurity Bill: 3 Key Concepts for Your Organisation

02/08/2017

This article has been produced with Holborn Law, which operates in association with CMS.

Singapore’s long-awaited draft Cybersecurity Bill (the Bill) was issued by the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) for public consultation which closes on 3 August 2017.

As a small and highly connected nation, Singapore is dependent on info-communications technology, and cybersecurity threats need to be taken seriously. Attacks on critical information infrastructure (CII) systems that manage utilities, healthcare, banking and finance, transportation and other essential services can lead to disruptions that can cripple Singapore’s economy and lead to loss of life.

In view of recent cybersecurity incidents globally and locally, the Singapore Government in April 2015 set up the CSA as a central agency to oversee and coordinate all aspects of cybersecurity for Singapore, and announced the launch of Singapore’s Cybersecurity Strategy a year later. This Bill is an extension of this effort, and consolidates the cybersecurity approach across various sectors in both the public and private
spheres.

Even though the current Computer Misuse and Cybersecurity Act contains some provisions on cybersecurity, it primarily concerns specific cybercrime such as e-commerce scams and hacking. This Bill, however, is more general and caters more broadly to the security of a computer or computer system against unauthorised access or malicious acts, to preserve their availability and integrity, or the confidentiality of information stored or processed in them.

We have identified below the 3 key concepts that should be noted from the Bill:

1. Obligations of owners of “critical information infrastructures”

This Bill provides a framework for the regulation of the CII owners, where the CIIs are located wholly or partly in Singapore, and ensures that such owners are responsible for the cybersecurity of these CIIs. To achieve this, Section 10 of the Bill sets out the statutory duties that CII owners have to fulfil, including the following:

a) providing the Commissioner with information on the technical architecture of the CII;

b) complying with codes of practice, standards of performance or directions in relation to the CII as may be issued by the Commissioner;

c) notifying the Commissioner of any cybersecurity incident in respect of: (i) the CII; (ii) any computer or computer system under the owner’s control that is interconnected with or communicates with the CII; and (iii) any cybersecurity incident of a type as prescribed by notification or as specified by the Commissioner;

d) undertaking regular audits of the compliance of the CII with the Bill and any applicable codes of practice or standards of performance;

e) undertaking regular risk assessments; and

f) participating in cybersecurity exercises.

Will this affect me?

Since these statutory obligations only apply to CII owners, they will only be applicable if you or your organisation is classified under the Bill as an “owner” of a “critical information infrastructure”.

Under the Bill, “critical information infrastructure” refers to a computer or a computer system that is necessary for the continuous delivery of “essential services” which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. The First Schedule of the Bill provides a list of these “essential services”, and currently includes services in 11 sectors which are energy, info-communications, water, healthcare, banking and finance, security and emergency, aviation, land transport, maritime, those relating to functioning of government and media. The public consultation paper notes that new “essential services” may be added from time to time by the Minister.[1]

“Owners” of such CIIs refer to a person who has effective control over the operations of the CII and has the ability and right to carry out changes to the CII, or is responsible for ensuring the continuous functioning of the CII.

How does it affect me?

If you or your organisation operates in one of the 11 sectors which provide “essential services”, you should carry out an assessment on which of your computer systems may be classified as a CII under the Bill, as well as whether you or your organisation will be defined as an “owner” of such a CII.

If you have determined that you or your organisation is an “owner” of a CII, it is advisable that you start a review of your organisation’s internal policies and practices to ensure that they comply with the requirements stipulated in the Bill and to ensure that your organisation is prepared to comply with applicable codes and directions when these are eventually proposed. You and your organisation should also cater for the other statutory obligations highlighted in the Bill such as regular audits and risk assessments. You should consider obtaining external technical help and capabilities, especially as you may require additional resources to comply with the potentially tight compliance timelines.

2. Commissioner’s powers to investigate and prevent cybersecurity incidents

While most of the cybersecurity threats and incidents that occur in Singapore are not major and do not have serious consequences, some of these will be serious and have a real risk of affecting CIIs or a large number of computers and individuals across Singapore. Under the Bill, each CII owner is responsible for the cybersecurity of their CIIs, but the Commissioner has the mandate for the overall prevention and containment of cybersecurity threats and incidents nationally.

The government’s powers in respect of such cybersecurity threats or incidents will depend on the severity of the situation, and the following is a brief overview of these powers under each scenario:

a) All cybersecurity threats and incidents: If the Commissioner has information on a cybersecurity threat or incident, he may examine anyone relevant to the investigation and take statements, and require the provisions of relevant information. This will allow the Commissioner to decide whether the threat or incident is serious and whether further action should be taken.

b) Serious cybersecurity threats and incidents: The Commissioner may exercise more intrusive measures, including directing persons to carry out remedial measures and assist in the investigation, enter premises, scan computers for cybersecurity vulnerabilities. The Commissioner may also seize any computer or equipment to carry out further analysis if doing so is necessary for the investigation and the benefit of doing so outweighs the detriment caused to the owner.

c) Emergency measures and requirements: The Minister may authorise any person to take such measures or comply with such requirements as may be necessary to prevent, detect, counter any threat to a computer or computer service.

Under the Bill, a cybersecurity threat or incident is deemed serious if it, amongst other things, creates a real risk of significant harm being caused to a CII, creates a real risk of disruption being caused to the delivery of an “essential service”, or creates a real threat to the national security, economy or public safety of Singapore.

Will this affect me?

Since these powers may be exercised in respect of any computer or computer system in Singapore, not only CIIs, you or your organisation will most likely be subject to the powers granted to the government to prevent and contain cybersecurity threats or incidents under this Bill.

How does this affect me?

If you or your organisation are subject to an investigation in respect of a cybersecurity threat or incident, you should ensure compliance with any and all directions provided by the Commissioner or an investigating officer. Failure to do so will attract criminal sanctions including fines or imprisonment.

In practice, the Commissioner’s exercise of these powers may cause interruptions to you or your organisation business operations. As such, it is important to ensure that you or your organisation have adequate cybersecurity measures in place to prevent the occurrence of such cybersecurity threats or incidents, thereby removing the need for the Commissioner to step in.

3. Licensing requirements for “cybersecurity service providers”

With Singapore’s Smart Nation initiative and push towards a digital economy, cybersecurity risks are becoming more widespread. As such, there is an increasing need for credible cybersecurity services, and the government has proposed the introduction of a light-touch licensing regime for cybersecurity service providers.

Under Part 5 of the Bill, organisations cannot provide certain cybersecurity services unless they are licensed and only if these services are conducted and in accordance with the conditions under the relevant licence.

There are two types of licences:

a) Investigative cybersecurity service: cybersecurity service that is investigative in nature and: (i) involves circumventing controls implemented in another person’s computer or computer system; or (ii) requires the person performing the service to obtain a deep level of access to the computer or computer system in respect of which the service is being performed, or to test the cybersecurity defences of the computer or computer system, thereby giving rise to a potential for significant harm to be caused to the computer or computer system. For example, searching for or exploiting cybersecurity vulnerabilities in the computer or computer system of another person for the purpose of improving the cybersecurity of the computer or computer system.

b) Non-investigative cybersecurity service: cybersecurity service that is not of investigative nature. For example, monitoring of the cybersecurity of a computer or computer system of another person or assessing or monitoring of the compliance off a organisation’s cybersecurity policy.

The grant or renewal of such licences is subject to the applicant having, amongst other things, satisfied the licensing officer that he has the qualifications and the practical experience required for that licence.

Will this affect me?

Currently, the Bill provides that “penetration testing services”[2] will be regulated under an investigative cybersecurity service licence, while “managed security operations centre (SOC) monitoring services”[3] will be regulated under a non-investigative cybersecurity service licence. As such, if you or your organisation provides cybersecurity services, you should assess whether the cybersecurity services provided would fall under the definition of “penetration testing services” or “managed security operations centre (SOC) monitoring services” under the Bill. It should be noted that CSA is proposing that the licensing of these two cybersecurity services will be just a start, and it is envisaged that there may be more cybersecurity services which may be licensable in the future.

Conversely, if you are a procurer of licensable cybersecurity services, you should also ensure that you only obtain the services of licenced service providers.

How does it affect me?

If you or your organisation provides either “penetration testing services” or “managed security operations centre (SOC) monitoring services”, you should keep yourself updated on the list of qualifications and practical experience or any other requirements prescribed for the issuing of the licence that will be published in the future. You should also bear in mind that the timelines and other specific details of the licence application process has not yet been determined, and it is useful to keep yourself updated whenever the relevant details are published.

It is also important to note that you or your organisation’s employees also have to be licenced as cybersecurity service practitioners in order for them to perform a licensed cybersecurity service.

If you are a procurer of licensable cybersecurity services, you may be required to change cybersecurity service providers if they are not currently licensed.

Next steps

As Singapore moves along its aim of becoming a Smart Nation, it will be increasingly dependent on technology and concurrently more vulnerable to the impact of cybersecurity threats and incidents. The proposals put forward in this Bill seeks to prevent and contain such threats and incidents when they inevitably arise, and is to be welcomed. But the consequences of such proposals mean that there are new and additional obligations on all companies, not just CII owners, to ensure that they are cybersecurity-ready and switched on to various issues and practices necessary to operate in this cybersecurity space.

We are happy to have a discussion with you on how the Bill may potentially impact on you and your organisation. Please contact any of our key contacts below if you require further information or assistance.

1 Note: It is currently unclear from the Bill whether computer or computer systems will automatically be classified as CIIs if they fulfil the criteria described above, or whether the Commissioner, under Section 7(1) of the Bill, needs to first designate it as a CII for the purposes of the Bill. We are hopeful for further clarifications from the government during the public consultation.

2 i.e. Services for assessing and testing the cybersecurity level by searching for vulnerabilities in the computer or computer system.

3 i.e. Services for assessing a computer or computer system to prevent, detect and respond to any cybersecurity threats or incidents.