Singapore's New Cybersecurity Act - A Relief and Leading the Way for Others?
On 5 February 2018, the Cybersecurity Bill was passed by Parliament. A draft version of this bill (Draft Bill) had previously been issued for public consultation by the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) on 10 July 2017. The Draft Bill was subsequently revised to take into account feedback gathered during this consultation exercise. For an overview of the key requirements of the Draft Bill, please refer to our earlier update. This update focuses on the amendments that have since found their way into the Cybersecurity Act as passed by Parliament.
The Cybersecurity Act addresses quite a number of concerns raised during the public consultation exercise. For instance, our previous update questioned the definition of "significant cybersecurity incidents" which need to be reported, the technical standards expected to be maintained in the Draft Bill, and raised queries relating to when notifications on change in ownership of critical information infrastructure ("CII") are required. The Cybersecurity Act does away with the first two terms and provides welcome clarity on the notification requirement. In addition, through its removal of the individual licensing requirement, its emphasis on compliance with promulgated codes of practice, and its express designation of CII and cybersecurity threats, the Cybersecurity Act significantly reduces the compliance burden on cybersecurity professionals and CII owners. It was also welcome to see that computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs, as clarified by the Ministry of Communications and Information and the Cyber Security Agency of Singapore in their Report On Public Consultation On The Draft Cybersecurity Bill issued in November 2017. This means that data centre owners and cloud services operators will not be caught (at least in this phase) by the Cybersecurity Act.
Many jurisdictions in the region are in the process of developing their own cybersecurity legislation to impose requirements on certain businesses to implement protections against cybersecurity risks into their computer systems. A source of frustration for businesses operating in multiple jurisdictions is the divergence in approaches by law makers. It will be interesting to watch whether these jurisdictions take a similar approach to Singapore and narrow down their Cybersecurity legislation to cover just CII owners and not any network operators.
Summary of key changes
1. Designation and protection of critical information infrastructure
- A main focus of the Cybersecurity Act is regulation of owners of CII. The definition of CII is limited to computers or computer systems that have been expressly designated as such by the Commissioner of Cybersecurity (the Commissioner). The Draft Bill had suggested a broader meaning of CII broader than designated computer systems.
- The term "owner of a CII" is defined as its legal owner (including joint owner). The Draft Bill definition was broader and extended to someone with effective control or responsibility for its continuous functioning. The significance of being an owner of CII is that the Commissioner may issue the owner of CII with a notice designating a computer or computer system as CII for the purposes of the Cybersecurity Act. The Commissioner may designate the computer or computer system as CII if satisfied that it is necessary for the continuous delivery of an essential service (46 are listed) and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore. It is also worth noting that to be regulated as CII the computer or computer system needs to be wholly or partly located in Singapore.
- The Cybersecurity Act introduces a mechanism allowing a person who has received a notice from the Commissioner designating a computer or computer system as a CII to request that the notice be instead sent to a third-party after showing that only that person has effective control over and the right to change the system. That third party is then deemed as the owner of CII for the purposes of the Cybersecurity Act.
- The Cybersecurity Act modifies the requirements for audits and risks assessments. Previously, the Draft Bill required audit and risk assessments every three years. The Cybersecurity Act now requires audits at least once every two years and risk assessments once a year.
- The Cybersecurity Act provides more clarity on notifications on changes in ownership of CII. It specifies that any change in beneficial or legal ownership (including any share in such ownership) must be reported not later than seven days after the date of change in ownership. The Draft Bill required owners to notify the Commissioner of any change in ownership no later than 90 days before the date of the intended change in ownership. The requirement to notify in advance of ownership change raised obvious practical and confidentiality concerns.
- The Cybersecurity Act requires owners of CII to report "prescribed" cybersecurity incidents or any other incidents specified by the Commissioner. Previously, the Draft Bill required the reporting of all "significant" cybersecurity incidents. Prescribed cybersecurity incidents requiring notification will be set by the Commissioner.
- The Cybersecurity Act requires owners of CII to establish mechanisms and processes for the purposes of detecting cybersecurity threats and incidents as set out in any applicable code of practice. Previously, owners of CII had to establish mechanisms and processes to detect "any cybersecurity threat".
- The Cybersecurity Act removes reference to "recommended technical standards" in the context of the standard of performance expected from owners of CII. This change is welcome; our earlier update pointed out that this phrase was vague and undefined.
2. Licensing of Cybersecurity Service Providers
- The number of licensing schemes has been reduced to one; the distinction between “investigative” and “non-investigative” cybersecurity services has been removed and replaced with a narrower concept of licensable services. Under the Cybersecurity Act, penetration testing and managed security operations centre ("SOC") monitoring services are licensable cybersecurity services that cannot be performed without a licence.
- The Cybersecurity Act now clarifies that employees who are hired to provide cybersecurity services are no longer subject to licensing requirements. In other words, licensing is only compulsory for those in the business of providing cybersecurity services, whether they are individuals or corporate entities.
- A company does not require a separate license if a related company already has such a license. "Related company" in the Act has the same meaning as the term in the Companies Act.
- A licensee must now only keep records for three years; the Draft Bill required a duration of five years.
3. When information requested by the Commissioner may be withheld
Where the Commissioner has reason to believe that a computer or computer system may constitute a CII and requests information to substantiate this belief, the Cybersecurity Act now clarifies that any person to whom a notice for information is issued is not obliged to disclose information protected by law, contract, or the rules of professional conduct. Previously, it was not clear whether professional conduct rules or contractual obligations could legitimately prevent disclosure.
However, a contractual obligation remains an invalid excuse for refusing to disclose information in the context of (i) an information request pertaining to a known CII or (ii) investigations of cybersecurity incidents. Under the Cybersecurity Act, the CII owner will not be treated as being in breach of any such contractual obligation if the disclosure was done with reasonable care and in good faith for the purpose of complying with such an information request. However, these provisions still risk raising concerns with businesses about protection of their commercially sensitive information.
We note that there are still a number of terms in the Cybersecurity Act that remain somewhat uncertain. For instance, we observe that the term "debilitating effect" used in Section 7(1) referring to availability of an essential service remains undefined. In addition, the Cybersecurity Act's Regulations - which would furnish important details relating to the practical operation of the Act - have yet to be published. Matters to be covered in the Regulations include the process for the designation of CII, the standards to be maintained by an owner of CII, the responsibilities and duties of an owner of a CII and the type of changes that are considered material changes to the design, configuration, security or operations of CII to be reported by an owner of CII;
A key practical issue for owners of CII regulated under the Cybersecurity Act will be implementing arrangements with their third party service providers responsible for operating and supporting of CII that enable the owners of CII to comply with the Cybersecurity Act.
The Cybersecurity Act reflects the Singapore Government's calibrated and balanced approach towards countenancing cybersecurity threats. The included amendments have attempted to strike a balance between the need for regulatory authorities to expeditiously designate, investigate, and receive information on critical information infrastructure and cybersecurity threats vis-à-vis the burdens imposed on companies and private individuals in the IT industry.