Singapore proposes to extend its Cybersecurity Regime

This article is produced by CMS Holborn Asia, a Formal Law Alliance between CMS Singapore and Holborn Law LLC. 

The Cyber Security Agency of Singapore (“CSA”) has recently launched a public consultation to seek feedback on the draft Cybersecurity (Amendment) Bill 2023 (the “Bill”) which, if passed, would represent the first significant amendment to the Singapore Cybersecurity Act 2018 (the “Act”). The changes proposed in this Bill are aimed at ensuring that Singapore’s cybersecurity laws remain fit-for-purpose and are able to keep pace with the ever-changing developments and challenges in cyberspace.

As a general overview, the Bill proposes a number of changes to keep the Act relevant (e.g. accounting for the increasing use of cloud computing vendors and computer systems that are not owned by the providers of essential services themselves – see section (a) below) as well as introducing new frameworks whereby the Commissioner of Cybersecurity is empowered to designate additional computer systems, service providers and/or entities for regulation under the Act (see sections (b) to (d) below). The latter effectively expands the current scope of the Act beyond computer systems designated as CII.

We set out some of the key features of the Bill below, which for the avoidance of doubt, are subject to change and do not represent the final legislation. The public consultation ends on 15 January 2024.

(a) Updates to the existing critical information infrastructure (“CII”) framework: The existing CII framework is primarily found in Part 3 of the Act and at the time of enactment, contemplated that the providers of essential services tend to own and control the CII that is used for the continuous delivery of essential services. The changes proposed in the Bill are aimed at closing operational gaps and facilitating the use of virtual computers offered by computing vendors.

1. Designation of overseas computers or computer systems as provider-owned CII: The power of the Commissioner to designate computer systems as CII has been expanded to include computer systems that are wholly located outside of Singapore - previously, the Commission was only able to designate (as CII) computer systems that were located wholly or partly in Singapore. The rationale behind this change is to ensure that providers of essential services that are located outside of Singapore cannot avoid their duties as providers of CII by offshoring their CII.
    
2. Designation of a provider of essential service that is responsible for the cybersecurity of non-provider-owned CII: Under the new Part 3A, the Commissioner can designate the provider of essential services as a provider that is responsible for the cybersecurity of non-provider-owned CII when the Commissioner determines that the provider does not own and control the CII (e.g. because the provider uses computing or cloud vendors who are the owners of the actual computer systems). The provisions in this new Part 3A make clear that the responsibility for the cybersecurity of the essential service still ultimately rests with the provider. 
   
   1. Providing Information to the Commissioner: To enable the Commissioner to decide whether the computer system should be designated as a non-provider-owned CII, the Commissioner is empowered to require the provider to provide information relating to the computer systems to the Commissioner (including but not limited to information relating to the design of the computer system).
       
   2. Provider to obtain legally binding commitments from owner to furnish information and notify when there is a material change made to the CII: The provider that is responsible for the non-provider-owned CII must obtain a legally binding commitment (likely contained in a contract) from the owner of the CII that the owner will, upon notice from the provider, furnish the provider (who has been issued a notice by the Commissioner) with information about the design, configuration and security of the CII, which includes information about any other computer system under the owner’s control that is interconnected with or that communicates with the non-provider-owned CII.
      
      Subsequently, if there is a material change made to the non-provider-owned CII after information about the CII has been furnished to the provider, the owner must be required (by obtaining legally binding commitment) to notify the provider within 30 days so that the provider can notify the Commissioner within 14 days after becoming aware of the material change. A “material change” is a change that affects the cybersecurity of the non-provider-owned CII, or the ability of the owner or provider to respond to a cybersecurity threat or incident.
       
   3. Provider to obtain legally binding commitments from owner to notify when there is a change in ownership of the CII: The provider that is responsible for the non-provider-owned CII must obtain a legally binding commitment that the owner of the CII will notify the provider of any change in the beneficial or legal ownership (including any ownership share) of the non-provider-owned CII within 7 days after the date of the change in ownership. The provider must thereafter inform the Commissioner of this change within 7 days after becoming aware of the change in ownership.
       
   4. Provider to obtain legally binding commitments from owner to notify when there is a cybersecurity incident: The provider must also obtain a legally binding commitment from the owner of the CII that the owner will notify the provider in the event of certain prescribed cybersecurity incidents (the exact circumstances will likely be set out subsequently in subsidiary legislation). The provider is thereafter required to inform the Commissioner of these prescribed cybersecurity incidents. There is no prescribed notification timeline currently proposed in the Bill – this would likely be found in subsidiary legislation.
       
   5. Provider to obtain legally binding commitments from owner to conduct audits and risk assessments: The provider must obtain a legally binding commitment from the owner of the CII that the owner will (i) cause an audit to be carried out on its CII, by an auditor approved by the Commissioner, for adherence to the applicable codes of practice and standards of performance, which must be carried at least once every 2 years; and (ii) conduct a cybersecurity risk assessment of the CII in a prescribed form / manner at least once a year. Copies of the audit and cybersecurity risk reports must be provided to the provider within 30 days and the Commissioner may direct the provider to require the owner to conduct additional audits or cybersecurity risk assessments (e.g. where a material change to the design, configuration, security or operation of the non-provider-owned CII has been made).
       
   6. Provider required to participate in a cybersecurity exercise directed by the Commissioner: The provider responsible for the non-provider-owned CII is required to participate in a Commissioner-conducted cybersecurity exercise if so directed by the Commissioner. Such exercises are conducted to test the state of readiness of the providers in responding to significant cybersecurity incidents.

Notably, the Commissioner is empowered to order the provider to cease to use, directly or indirectly, the non-provider-owned CII if the requirements above (in A. to E.) are not complied with. Failure to comply with the Commissioner’s orders can expose the provider to a fine of up to S$100,000, imprisonment for a term up to 2 years, or both.

Providers who are aggrieved by the decisions or orders of the Commissioner are provided with a right to appeal to the Minister who can establish an Appeals Advisory Panel to provide technical / specialised advice to the Minister for the appeal.

(b) New framework governing foundational digital infrastructure (“FDI”): The new Part 3B aims at ensuring that the digital infrastructure that Singaporeans rely on are secure, even if such infrastructure are not designated as CII. Some examples of the digital infrastructure would include physical infrastructure that carry data (e.g. data centres and internet exchanges) and virtualised infrastructure that provide crucial services that support the digital domain (e.g. Domain Name System, cloud services and content delivery networks).

1. Designation of a major FDI service provider: The Commissioner may designate a provider of a FDI service as a major FDI service provider if (i) the computer system is necessary for the continuous delivery of a FDI service by the provider; and (ii) the provider provides the service (A) to persons in Singapore; or (B) wholly or partially from Singapore, and the loss or impairment of the FDI service will cause disruption to the operation of a large number of business in Singapore which rely on the FDI service.
   
   The proposed third schedule to the Act currently prescribes cloud computing services and data centre facility services as FDI services. 
    
2. Furnishing of information by major FDI service provider: Upon notice from the Commissioner, a major FDI service provider is required to furnish information to the Commissioner within a reasonable period specified in the notice. Such information includes information on the measures in place to safeguard the cybersecurity of the major FDI and information on the design features of the major FDI.
    
3. Reporting obligations of the major FDI service provider: The major FDI service provider must notify the Commissioner in the prescribed form and manner, of the occurrence of certain prescribed cybersecurity incidents in relation to the computer systems under the major FDI service provider’s control. There is no prescribed notification timeline currently proposed in the Bill – this would likely be found in subsidiary legislation. CSA has mentioned that the operational details (e.g. the prescribed cybersecurity incidents, threshold requirements for when reporting would be mandatory and the reporting timelines) will be developed subsequently in consultation with stakeholders and with reference to international practices.

The financial penalties for failing to comply with the Part 3B requirements are still being considered by the CSA, taking into account comparable laws in other jurisdictions and other comparable statutes under Singapore law.

(c) New framework for entities of special cybersecurity interest (“ESCI”): The new Part 3C aims at ensuring that entities that are particularly attractive targets of malicious threat actors (because of the sensitive data they possess or the function they perform) meet an adequate level of cybersecurity. The objective is also to enhance the situational awareness surrounding cybersecurity threats and incidents that may affect ESCIs.

1. Designation of an entity of special cybersecurity interest: The Commissioner may designate an entity (which can be incorporated under any written law) as an ESCI if the entity stores sensitive information in a computer system, or the entity uses a computer system to perform a function which, if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore.
    
2. Furnishing of information by entity of special cybersecurity interest: Upon notice from the Commissioner, the ESCI is required to furnish information to the Commissioner within a reasonable period specified in the notice. Such information includes information on the design, configuration and security of the system of special cybersecurity interest and any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the aforementioned system. 
    
3. Reporting obligations of the entity of special cybersecurity interest: The ESCI must notify the Commissioner in the prescribed form and manner, after becoming aware of the occurrence of a prescribed cybersecurity incident, in relation to the computer systems under the entity’s control, where the incident either (i) results in a breach in the availability, confidentiality, or integrity of the entity’s data; or (ii) has a significant impact on the entity’s business operations.  Similar to the reporting obligations for major FDI service providers, the operational details for reporting will be made known subsequently. 

The financial penalties for failing to comply with the Part 3C requirements are also still being considered by the CSA.

(d) New framework for systems of temporary cybersecurity concern (“STCC”): The new Part 3D is aimed at regulating computer systems that are, for a limited time period, critical to Singapore – e.g. systems that are set up specifically to support high-key international events in Singapore (e.g. World Economic Forum), or systems that support the distribution of vaccines during the pandemic. As it would be burdensome to designate these computer systems as CII for a limited time, this new Part 3D allows the Commissioner to be flexible in designating STCCs to ensure that appropriate cybersecurity measures are taken to secure these systems.

1. Designation of a system of temporary cybersecurity concern: The Commissioner may designate a computer system as a STCC if the computer system is located wholly or partly in Singapore and during a limited period: (i) there is a high risk that a cybersecurity threat or incident may be carried out that would adversely affect the cybersecurity of the computer system; and (ii) the compromise of the computer system will have a serious detrimental effect on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
    
2. Furnishing of information by the owner of a system of  temporary cybersecurity concern: Upon notice from the Commissioner, the owner of a STCC is required to furnish information to the Commissioner within a reasonable period specified in the notice. Such information includes information on the design, configuration and security of the STCC, or relating to the operation of any other computer system under the owner’s control that is interconnected with or that communicates with the STCC.
    
3. Reporting obligations of the owner of a system of temporary cybersecurity concern: The owner of the STCC must notify the Commissioner in the prescribed form and manner, after becoming aware of the occurrence of certain prescribed cybersecurity incidents that relate to the STCC or computer systems that are interconnected with or that communicates with the STCC. The operational details for reporting will be set out in subsequent subsidiary legislation.

Apart from the above changes, there are other proposed changes found in the Bill which include, for example, requiring regulated entities to comply with codes of practice and standards of performance that are issued or approved by the Commissioner, requiring the regulated entities to establish mechanisms and processes (as set out in the applicable codes of practice) for the purpose of detecting cybersecurity threats and incidents, and prohibiting unauthorised persons from using symbols or representations that are identical, or confusingly similar, to CSA’s symbol or representation.

The proposed changes reflect CSA’s commitment to ensuring that Singapore’s cyberspace remains secure as Singapore becomes more digitally connected and reliant on digital technologies. Players such as data centre providers, cloud computing vendors and providers of essential services themselves will be impacted by the Bill.

Please get in touch with us if you wish to understand any of the above in more detail or the potential implications of the Bill to your business.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Bill; information, content, and materials stipulated above is based on our reading of the proposed amendments and are for general informational purposes only.