On 7 May 2024, the Singapore Parliament passed the Cybersecurity (Amendment) Bill, which amends the Cybersecurity Act 2018 (Act) to address new cybersecurity threats resulting from technological advancements since the Act was passed in 2018.
The Act is the key statute designed to ensure the cybersecurity of essential services that are crucial to Singapore’s economy and national security. Among others, the Act regulates critical information infrastructure (CII) – i.e., designated computer systems which are critical to the provision of essential services in sectors such as energy, water, healthcare and banking.
The amendments will focus on several key changes as follows:
- Expanding the definitions of “computer” and “computer system” to include their virtual counterparts.
- Requiring essential service providers to be responsible for the cybersecurity of third-party CII that are used to continuously deliver the provider’s essential services (e.g., by imposing contractual obligations on the CII owner to meet certain cybersecurity standards).
- Empowering the CyberSecurity Agency of Singapore (CSA) to designate computers or computers systems wholly-located overseas as CII if their owner is in Singapore and they support an essential service in Singapore.
- Expanding the types of cybersecurity incidents which CII owners need to report to the CSA to include incidents affecting (a) other computers under the CII owner’s control and (b) supplier-controlled computers that communicate with the CII, if the CII is owned by an essential service provider.
- Expanding regulation to the following systems:
(a) Systems of Temporary Cybersecurity Concern (STCCs) – CSA-designated systems at high risk of cybersecurity threats for a limited time period, which, if breached, could cause serious detriment to Singapore’s national security, defence, public health, public safety, public order, economy or foreign relations, such as systems that support temporary international events (e.g., APEC Summit). STCCs owners will be subject to cybersecurity obligations similar to those imposed on CII owners.
(b) Entities of Special Cybersecurity Interest (ESCIs) – CSA-designated entities (such as universities) that malicious actors frequently target, which, if compromised, could significantly harm Singapore’s national security, defence, public health, public safety, public order, economy or foreign relations. ESCIs will be required to report serious cybersecurity incidents and may be required to comply with cybersecurity standards or codes of practice.
(c) Foundational Digital Infrastructure (FDI) service providers – specified major providers of digital infrastructure that are foundational to Singapore’s way of life and serve a large number of organisations. Examples of such FDI services are cloud service providers and data centres. Similar to ESCIs, FDI service providers may be required to comply with cybersecurity standards or codes of practice. They will also be required to report cybersecurity incidents that result in a disruption or degradation of their service in Singapore or that significantly impact their operations in Singapore.
- Granting additional enforcement powers to the CSA, such as inspection and monitoring authority in certain circumstances and the power to bring actions for civil penalties.
Conclusion
Owners and operators of computer systems, as well as providers of essential services, should keep abreast with the changes to the Act and determine if they need to update their cybersecurity practices and policies to comply with those changes. Such entities should also develop a culture of cybersecurity awareness within their organisations, to avoid the financial and reputational repercussions associated with cybersecurity incidents.
For More Information
OrionW regularly advises clients on data protection and cybersecurity matters. For more information about compliance with Singapore data protection and cybersecurity laws and regulations, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.