On 4 March 2022, the Cyber Security Agency of Singapore (CSA) announced two initiatives intended to address the impact of increased cybersecurity vulnerabilities and the rise of new sectors of the digital economy.1
The first initiative is a wholesale review of Singapore’s primary cybersecurity legislation, the Cybersecurity Act 2018 (Cybersecurity Act), with the intention to potentially expand its scope in view of the country’s increased reliance on digital infrastructure and services and growing cybersecurity concerns.
The second initiative is an update to the Cybersecurity Code of Practice for the 11 critical information infrastructure (CII) sectors designated under the Cybersecurity Act2 (Code). The Code, a set of mandatory cyber hygiene practices that CII sectors have to follow, is being updated to enable CII sector companies to better mitigate new and heightened cybersecurity risks which have emerged in recent years, such as the increased and more high-profile use of ransomware.
Taken together, these proposed changes (summarized in further detail below) will materially increase the scope and level of cybersecurity regulation in Singapore, including in areas of the digital economy which have to date remained outside the jurisdiction of the Cybersecurity Act. While the updates to the Code are expected to be issued in Q2 of 2022, the revisions to the Cybersecurity Act will be discussed with stakeholders before being submitted to public consultation in early 2023.
A. Proposed expansion of the Cybersecurity Act
Summary of the proposed changes
The key proposed changes to the Cybersecurity Act announced by the CSA are as follows:
To date (and consistent with cybersecurity laws in many jurisdictions), the Cybersecurity Act has sought to primarily regulate companies operating in the CII sectors. The CSA is considering whether to apply a similar level of regulation to newer and increasingly prevalent forms of digital infrastructure, such as cloud-based services which support essential services and key digital services (e.g. apps) which are needed to sustain the digital economy.
Factors that the CSA is considering using to determine whether a cloud or digital service or application falls within this category include:
The reach and scale of such digital infrastructure and services, for example, its size;
Whether alternatives are easily available – where they are available, the CSA will consider the costs of switching to these alternatives if the infrastructure or service is hit by a cyberattack. For example, an online search engine would likely be considered a digital service with a low switching cost and may therefore not fall under the increased scope of the revised Cybersecurity Act.
If passed, the changes would mean that owners of cloud and digital services that fall within the increased scope of the revised Cybersecurity Act would potentially be subject to the level of regulation currently applying to CIIs. This would result in these services being obliged to provide information on such key digital services to the Singapore Commissioner for Cybersecurity such as information on the design, configuration and security of such cloud and digital services and applications, notify the Commissioner for Cybersecurity in the event of cybersecurity incidents and conduct regular audits and cybersecurity risk assessments.
Currently, failure to comply with the Cybersecurity Act is an offence potentially resulting in a fine and/or imprisonment. The CSA has not yet indicated whether these penalties will be amended as part of the review of the Cybersecurity Act. Accordingly, assuming the current legal enforcement measures are maintained, an owner of cloud and/or digital services which fall within the purview of the revised Cybersecurity Act may potentially face such penalties in the event of non-compliance.
B. Proposed enhancement of the Code
Summary of the proposed changes
The proposed changes to the Code, which the CSA has stated were prompted by concerns that foundational cyber hygiene practices may no longer be sufficient for CII owners to defend against threats such as ransomware, have been discussed with CII stakeholders. Examples of the enhancements provided by the CSA include allowing CSA or CII sector specific regulators1 to add new requirements for specific sectors such as the telecommunications sector, as and when required, to tackle emerging cybersecurity risks.
The initiatives described in this client alert highlight the Singapore government’s emphasis on building a strong cybersecurity ecosystem to address both present and future cyber threats. As the world and especially the Singapore economy becomes more digitized and, hence, reliance on the digital world continues to grow, it is important that cloud and digital service owners keep abreast of the changing legal requirements and maintain adequate cybersecurity measures to ensure compliance.
1 The CSA’s press release can be accessed at <https://www.csa.gov.sg/News/Press-Releases/review-of-the-cybersecurity-act-and-update-to-the-cybersecurity-code-of-practice-for-ciis>.
2 Currently, 11 sectors are designated as CII sectors under the Cybersecurity Act on the basis they provide essential services, namely sectors relating to energy, info-communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, functioning of government and media.
3 Apart from the CSA, specific CII sectors may also be subject to regulatory oversight by sector specific regulators which may impose more stringent cybersecurity regulations to cater to the specific cybersecurity needs of such CII sector. For example, the telecommunications sector is also specifically regulated by the Infocomm Media Development Authority (IMDA) and hence a CII owner within the telecommunications sector will have to comply with both the CSA and IMDA’s regulations.