New licensing requirements for cyber-security service providers in 2022

To roll out this 2022: New licensing requirements for cyber-security service providers in 2022

SINGAPORE – With an aim to give greater assurance for the safety of customers and raise the quality of providers, according to Cyber Security Agency of Singapore (CSA), Cyber-security service providers will need to be licensed in 2022. 

Companies or individuals as providers, under the new framework, will be licensed and is expected to kick in early next year. Public consultation on the licensing conditions and legislation has been launched by the Cyber Security Agency of Singapore (CSA).

To apply for such licenses, these service providers will now be given six (6) months from the effectivity of the framework. “Penetration Testing”, which checks if an organization can respond and identify simulated cyber-security attacks, will be one of the services to be licensed. Other services that entails monitoring activities in computer systems to identify threats are also licensable.  

Also Read: What You Need to Know About Singapore’s Data Sharing Arrangements

Fines for operating without a license

$50,000 will be fined to providers if their services are conducted without a license, and if convicted, may serve a prison sentence up to two (2) years, or both. Such licenses may also be suspended or revoked.

With each failure to comply with a licensing condition, $10,000 can be fined by the Cyber Security Agency (CSA) to errant individuals or companies, and this shall not exceed $50,000. 

Licensing Conditions to follow

Companies and individual (such as freelancers or a sole proprietorship) service providers are required to have key officers that are “fit and proper”. This is important especially when choosing a Data Protection Officer (DPO) for the cybersecurity hygiene of the organization and its data protection efforts. There is a need that they have a clean record, meaning no criminal convictions or judgement are in their names in a civil proceedings involving dishonesty, morally depraved or wicked behavior, or fraud. 

At least 30 days before the appointment of a new key officer, there is a need for these Companies or individuals to inform the Cyber Security Agency. Also, to help it investigate any potential breaches of the license, it is prerogative for them to provide information as needed. 

Furthermore, for at least three (3) years, Companies or individuals are required to keep basic records of the services provided. These include details of the work done and client names. It is also mandatory for them to keep every client’s information confidential.

Singapore as the first!

It is believed that Singapore is one of the first countries in the world to introduce licensing for cyber-security service providers.

With the report of the Cyber Security Agency that cyber threats in Singapore have risen, the consultation on the licensing conditions came after. For instance, during the Covid-19 pandemic, cyber-attacks have tripled in number with “zombie” devices linked to the Internet.

Also called as botnet drones, 6,600 malware-laced devices on average on a daily basis have been observed in 2020. This is a big jump from 2019’s 2,300.

Aims of the Framework

According to the Cyber Security Agency, the demand for credible cyber-security services will continue to grow as cyber-security risks become more widespread. There is a need that the service providers need to be fit and proper as some services can be intrusive and sensitive. For if the clients’ networks and systems are abused by the service providers’ access, it can lead to disruption to customer’s operations and it can compromise it. 

Furthermore, one of the aims of licensing is to improve standards. As noted by the Cyber Security Agency, “risks of services being carried out by incompetent or substandard providers are multifold”. As some information is sensitive and confidential, the bar for standards must be set up high so that such information will not become vulnerable to attack or lose it. 

“It is envisaged that licensing could serve as the means through which the quality of (service providers) could be raised over time in future, such as through the introduction of a code of ethics or certain baseline competency requirements.”

Cyber Security Agency

Choosing the Right Service Provider, a Credible and Licensed One!

Moreover, licensing service providers could also address and lessen the information gap that exists between customers and service providers by helping such customers identify providers that are credible. 

With the requirement of a license for service providers this early 2022, it is better to advise that you choose your cybersecurity vendor wisely. Make sure that they are licensed as required by the framework, and that such providers have complied with all the requirements for providing services. This is to ensure that your information is secure, and you’ll have the peace of mind in the operations of your business as a customer. 

License Applications and Fees

It is estimated by the Cyber Security Agency that more than 150 license applications will be submitted. This license can last up to two (2) years, new or renewed. 

The usual fee for individual service providers for a license is $500 and $1000 for business entities. However, 50% of these rates have been waived due to the pandemic but this is only for the first 12 months from the start of the licensing framework. The industry consultation is still ongoing and will end on October 18, 2021 by 5pm. The details can be found at CSA’s website.

Also Read: Compliance With Singapore Privacy Obligations; Made Easier!