Enhancements to Singapore’s Cybersecurity Governance

Taken together, these proposed changes (summarized in further detail below) will materially increase the scope and level of cybersecurity regulation in Singapore, including in areas of the digital economy which have to date remained outside the jurisdiction of the Cybersecurity Act. While the updates to the Code are expected to be issued in Q2 of 2022, the revisions to the Cybersecurity Act will be discussed with stakeholders before being submitted to public consultation in early 2023.

A. Proposed expansion of the Cybersecurity Act

Summary of the proposed changes

The key proposed changes to the Cybersecurity Act announced by the CSA are as follows:

• To date (and consistent with cybersecurity laws in many jurisdictions), the Cybersecurity Act has sought to primarily regulate companies operating in the CII sectors. The CSA is considering whether to apply a similar level of regulation to newer and increasingly prevalent forms of digital infrastructure, such as cloud-based services which support essential services and key digital services (e.g. apps) which are needed to sustain the digital economy.
• Factors that the CSA is considering using to determine whether a cloud or digital service or application falls within this category include:
  • The reach and scale of such digital infrastructure and services, for example, its size;
  • Whether alternatives are easily available – where they are available, the CSA will consider the costs of switching to these alternatives if the infrastructure or service is hit by a cyberattack. For example, an online search engine would likely be considered a digital service with a low switching cost and may therefore not fall under the increased scope of the revised Cybersecurity Act.

If passed, the changes would mean that owners of cloud and digital services that fall within the increased scope of the revised Cybersecurity Act would potentially be subject to the level of regulation currently applying to CIIs. This would result in these services being obliged to provide information on such key digital services to the Singapore Commissioner for Cybersecurity such as information on the design, configuration and security of such cloud and digital services and applications, notify the Commissioner for Cybersecurity in the event of cybersecurity incidents and conduct regular audits and cybersecurity risk assessments.

Currently, failure to comply with the Cybersecurity Act is an offence potentially resulting in a fine and/or imprisonment. The CSA has not yet indicated whether these penalties will be amended as part of the review of the Cybersecurity Act.  Accordingly, assuming the current legal enforcement measures are maintained, an owner of cloud and/or digital services which fall within the purview of the revised Cybersecurity Act may potentially face such penalties in the event of non-compliance.

B. Proposed enhancement of the Code

Summary of the proposed changes

The proposed changes to the Code, which the CSA has stated were prompted by concerns that foundational cyber hygiene practices may no longer be sufficient for CII owners to defend against threats such as ransomware, have been discussed with CII stakeholders. Examples of the enhancements provided by the CSA include allowing CSA or CII sector specific regulators¹  to add new requirements for specific sectors such as the telecommunications sector, as and when required, to tackle emerging cybersecurity risks.

C. Conclusion

The initiatives described in this client alert highlight the Singapore government’s emphasis on building a strong cybersecurity ecosystem to address both present and future cyber threats. As the world and especially the Singapore economy becomes more digitized and, hence, reliance on the digital world continues to grow, it is important that cloud and digital service owners keep abreast of the changing legal requirements and maintain adequate cybersecurity measures to ensure compliance.