Added security comes at a price: The impact of Singapore's Cybersecurity Act
A series of cyber attacks was mounted on several government websites in Singapore in 2013, in which the websites of the Prime Minister, government schools and the People's Action Party's Community Foundation were defaced.
Fast forward five years to 2018 and the personal information of some 1.5 million people, including the Prime Minister's health records, was stolen in a cyber attack on healthcare group SingHealth's database.
Amidst this climate, Singapore's Parliament passed the Cybersecurity Bill in February 2018.
The Act in brief
The Cybersecurity Act (the Act) came into force on 31 August 2018, aiming to enhance Singapore’s cyber security landscape and strengthen the city state's ability to routinely protect the nation’s critical information infrastructure (CII).
The Act establishes a dedicated framework for the direct oversight and maintenance of national cyber security in Singapore, augmenting the powers already available in the Computer Misuse and Cybersecurity Act (CMCA) by applying pre-emptive regulation to ensure routine and proactive protection of CII.
In detail: Exploring the Act's remit
The role of the Commissioner
The Commissioner of Cybersecurity (the Commissioner) acts as the regulator for the Act and has wide powers to aid in its administration.
- The Commissioner has the power to designate any computer or computer system as a CII, if:
- It is necessary for the continuous delivery of an essential service.
- The loss or compromise of the computer or system would have a debilitating effect on the availability of the essential service in Singapore.
This designation is effective for five years.
The Act applies to designated CII organisations that provide services to 11 critical sectors: Energy, Water, Banking & Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Government, Info-communications, Media, and Security & Emergency Services.
These would include CII organisations that provide air navigation services, airport passenger control and operations, flight operations of aircraft, maritime container terminal operations, bunker supplies and general and bulk cargo terminal operations.
The Act focuses on regulating the party that has effective control over the CII. It is possible for a person who receives a notice of designation from the Commissioner to request for the notice to be amended and instead addressed to the Controller (i.e. the party who has effective control over the CII).
The Controller may be subject to the relevant obligations pursuant to the Act, as if it was the CII owner.
CII organisations with computer systems that are not physically located in Singapore are exempt from the Act.
Duties and obligations
- The Act places duties and obligations on the designated computer system owners of CII organisations, for example:
- Compliance with codes of practice and standards of performance.
- Compliance with directives given by the Commissioner (e.g. to be furnished with information relating to CII).
- Conducting of cyber security audits and risk assessments.
- Participation in cyber security exercises.
- Establishing processes to detect cyber security threats.
- Setting out cyber security codes of practice.
- Reporting cyber security incidents and/or breaches that occur in respect of the CII to the Commissioner.
The Act places an additional licensing requirement for providers of managed security operations centre monitoring services and penetration testing services.
Consequences of non-compliance
- The Act penalises any person who fails to comply with the Commissioner’s notice to provide information with fines of up to SG$20,000, imprisonment of up to 12 months or both.
- In addition, CII organisations may also be subject to regulatory actions, remedial measures and investigations by the Commissioner, as a result of non-compliance with the Act.
- There are similar penalties for cyber security service providers that fail to adhere to the licensing regime in the Act. Such service providers could be liable for a fine of up to SG$10,000, imprisonment of up to 12 months or both.
- Uncertainty: In practice, there is still uncertainty about what will constitute a "debilitating effect" under the Act and also how actively organisations will be designated as CII.
- Costs of compliance: The Act is likely to result in increased compliance costs associated with the implementation of various security solutions to strengthen CII and safeguard sensitive data.
Similar concerns were raised during the Parliamentary Debate prior to the passing of the Act, where the Government provided assurance that the authorities would cooperate with sector regulators, to minimise compliance costs.
Moreover, relations between CII owners and third-party service providers will need to be recalibrated in order to ensure overall compliance with the Act.
- Greater proactivity needed: Moving forward, CII owners should take a pro-active approach to strengthen cyber security measures and take steps to remedy any potential gaps in their current cyber security systems.
For further advice
Clients who have received a notice of designation from the Commissioner may contact the authors of this briefing for a discussion on your options and obligations under the Act.
Should you have any questions, please do not hesitate to contact the authors of this briefing.