Frame-14

Privacy Ninja

Digging deep: The Cybersecurity Act of Singapore

Cybersecurity Act
The Cybersecurity Act of Singapore

The Cybersecurity Act is an Act that requires or authorizes the taking of measures to prevent, manage and respond to cybersecurity threats and incidents, to regulate owners of critical information infrastructure and cybersecurity service providers, and to make consequential or related amendments to certain other written laws.

The Cybersecurity Bill was enacted on February 5, 2018, and received President Halimah Yacob’s assent on March 2, 2018, making it the Cybersecurity Act. The said Act offers a legislative framework for Singapore’s national cybersecurity monitoring and maintenance, and it has the following goals and key points:  

Creation of a cybersecurity regulator

The Cybersecurity Act provides for the appointment of a Cybersecurity Commissioner as a regulator for the sector.

The Commissioner is given considerable powers under the Act to respond to and prevent cybersecurity issues that harm Singapore. These powers include investigative powers such as the ability to question people, demand the production of evidence, and seize evidence. In addition, if the Commissioner determines that a cybersecurity threat achieves a specific severity level, they may order a person to take corrective action or discontinue a certain activity. These rights extend to all computers and computer systems in Singapore, not only Critical Information Infrastructure (CII).

The Act also gives the Minister the authority to select public officers from other government ministries or regulators as Assistant Commissioners. Assistant Cyber Commissioners are expected to be “Sector Leads” in their respective sectors, i.e., the main government agency responsible for each CII sector. As a result of their previous regulatory contacts, CII owners should be familiar with the Assistant Cyber Commissioners.

For example, the Assistant Cyber Commissioner for financial institutions would presumably be an official from the Monetary Authority of Singapore (MAS). This could, hopefully, reduce the administrative burden on CII owners when engaging with a new regulator for cybersecurity problems by providing continuity and consistency of current connections with regulators.

Also Read: The importance of penetration testing for businesses

Cybersecurity Act
The Cybersecurity Act of Singapore

Who is covered by the Cybersecurity Act – Critical Information Infrastructure

The Cybersecurity Act’s main focus is to impose cybersecurity requirements on public and private owners of critical infrastructure information (CII) that is needed to provide essential services. The following are the 11 important areas of vital services listed in the Cybersecurity Act:

  • Energy
  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media
Cybersecurity Act
The Cybersecurity Act of Singapore

The Commissioner has the authority to designate a computer system in certain areas as a CII, which will be valid for five (5) years unless the Commissioner withdraws it sooner.

When a computer system is designated as a CII, the Commissioner will notify the legal owners of the CII, who will be responsible for maintaining compliance with the Cybersecurity Act. The Act includes a method for legal owners to notify the Commissioner if they no longer have control of the computer system or are unable to make the necessary adjustments to guarantee compliance. In this scenario, the Commissioner can replace the name of the party with real authority over the computer system and the ability to make changes in the notice.

Parties who have been identified as relevant CII owners by the Commissioner are required by law to follow regulations and directives and report occurrences to the Commissioner. They must also undertake cybersecurity vulnerability audits and risk assessments on a regular basis. Failure to comply with these requirements can result in serious criminal and civil fines.

Cybersecurity Act
The Cybersecurity Act of Singapore

Cybersecurity Act key objectives

1. Strengthen the protection of Critical Information Infrastructure (CII) against cyber-attacks.

Computer systems directly involved in the provision of critical services are referred to as CII. Cyber-attacks against CII have the potential to cripple the economy and society. The Act establishes a framework for the designation of CII and clarifies CII owners’ responsibility to defend the CII against cyber-attacks in advance. 

This strengthens the CII’s resilience, safeguarding Singapore’s economy and way of life. Energy, Water, Banking and Finance, Healthcare, Transportation (Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government are among the CII sectors.

2. Authorize CSA to prevent and respond to cybersecurity threats and incidents.

The Commissioner of Cybersecurity is empowered under the Cybersecurity Act to examine cybersecurity threats and events in order to evaluate their impact and avoid additional harm or cybersecurity mishaps. 

The powers that can be exercised are based on the seriousness of the cybersecurity threat or event and the necessary response actions. This assures Singaporeans that the Government can respond effectively to cybersecurity threats and keep Singapore and Singaporeans safe.

3. Establish a framework for sharing cybersecurity information.

The Cybersecurity Act also makes it easier to share information, which is important since timely information helps the Government and owners of computer systems better identify vulnerabilities and avert cyber incidents. 

The Cybersecurity Act establishes a structure for the CSA to seek information, as well as a framework for the protection and dissemination of that information.

4. Establish a light-touch licensing framework for cybersecurity service providers.

CSA presently licenses just two categories of service providers, penetration testing and managed security operations center (SOC) monitoring, using a light-touch approach. Because suppliers of both services have access to sensitive information from their consumers, these two services are prioritized. 

They’re also relatively common in the industry, so they greatly influence the entire security environment. The licensing structure aims to balance the requirement for security and the growth of a thriving cybersecurity ecosystem.

Also Read: The necessity of a data protection plan for businesses in Singapore

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us