Bill introduced to expand scope of Cybersecurity Act 2018 to regulate more entities
12 April 2024
On 3 April 2024, the Cybersecurity (Amendment) Bill (“Bill”) was tabled in Parliament for first reading. The Bill will update the Cybersecurity Act 2018 (“Act”) so that it keeps pace with developments in the cyber threat landscape, as well as the evolving technological operating context. The Bill will, among others, update existing provisions in the Act relating to the cybersecurity of critical information infrastructure (“CII”) and introduce new provisions to regulate (1) owners of systems of temporary cybersecurity concern (“STCC”), (2) entities of special cybersecurity interest (“ESCIs”), and (3) major foundational digital infrastructure (“FDI”) service providers.
A summary of the key changes is set out below.
Critical information infrastructure
CII are computers or computer systems that are necessary for the continuous delivery of essential services in Singapore. Since the Act came into force in 2018, the technological and business contexts for the delivery of essential services have changed. Advances in virtual computing and the availability of a wider and more sophisticated range of computing services today have unlocked greater business efficiency and service quality.
The Bill will ensure that CII owners remain responsible for the cybersecurity and cyber resilience of the CII, even as they embrace new technological and business models (e.g. use of cloud computing). The Bill will insert a new Part 3A in the Act to regulate providers of an essential service which are made responsible for the cybersecurity of third‑party‑owned CII on which the delivery of their essential service is dependent. The Commissioner of Cybersecurity (“Commissioner”) will be empowered to designate such a provider of an essential service as a designated provider responsible for third-party-owned CII. Part 3A contains provisions which are adapted from the provisions of Part 3 of the Act (which provides for the designation of CII and the regulation of owners of CII with regard to the cybersecurity of the CII) as amended by the Bill, and additional provisions requiring the designated provider to obtain legally binding commitments from the owner of the third‑party‑owned CII to perform certain actions, which in turn enable the designated provider to fulfil its own obligations under Part 3A.
The Bill will also add new provisions in the Act to require CII owners to report the following types of incidents to the Commissioner:
- prescribed cybersecurity incidents in respect of any computer (or computer system) under the control of the owner of a provider‑owned CII, where the computer (or computer system) is not interconnected with and does not communicate with the provider‑owned CII.
- prescribed cybersecurity incidents in respect of any computer (or computer system) under the control of a supplier to the owner that is interconnected with or that communicates with the provider‑owned CII.
Systems of temporary cybersecurity concern
The Bill will insert a new Part 3B which regulates owners of STCC in relation to the cybersecurity of such systems. The Commissioner may designate a computer or computer system located wholly or partly in Singapore as a STCC on the basis that for a limited period there is a high risk to the cybersecurity of that computer or computer system, and the loss or compromise of that computer or computer system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
The owner of a STCC will be required to notify the Commissioner of the occurrence of a prescribed cybersecurity incident in respect of a STCC or in respect of any computer or computer system under the owner’s control, or under the control of a supplier to the owner, that is interconnected with or that communicates with the STCC.
An example of an STCC would be the temporary systems used to support the distribution of critical vaccines during a pandemic. During the Covid-19 pandemic, the vaccine distribution systems deployed by healthcare organisations around the world were targeted by malicious cyber actors.
Entities of special cybersecurity interest
The Bill will insert a new a new Part 3C in the Act which regulates ESCIs in relation to the cybersecurity of systems of special cybersecurity interest. The Commissioner may designate an entity as an ECSI on the basis that the entity stores sensitive information in a computer or computer system (or class of computers or computer systems) under the entity’s control, or uses a computer or computer system (or class of computers or computer systems) under the entity’s control to perform a function which, if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore.
The ESCI must notify the Commissioner of the occurrence of a prescribed cybersecurity incident in respect of the system of special cybersecurity interest or any other computer or computer system under the entity’s control, where the incident results in a breach in the availability, confidentiality or integrity of the entity’s data or has a significant impact on the business operations of the entity.
Examples of such entities could include autonomous universities. Since they are not CIIs, the obligations imposed on the ESCI will not be at the same levels as that for CIIs.
Foundational digital infrastructure
The Bill will insert a new Part 3D in the Act to require companies that provide digital infrastructure services that are foundational to the economy or way of life (such as cloud service providers and data centres) to be responsible for the cybersecurity of such digital infrastructure. This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA, which will not be at the level of a CII.
The Bill will insert a new Third Schedule in the Act which lists two FDI services as follows:
- Cloud computing service, which can be delivered from a computer or computer system in or outside Singapore; and
- Data centre facility service, which relies on a computer or computer system in Singapore encompassed within a facility in Singapore.
Background
By way of background, the Cyber Security Agency of Singapore (“CSA”) consulted on the draft Bill from 15 December 2023 to 15 January 2024. Respondents generally expressed support and understood the need to expand the regulatory ambit of the Act beyond CIIs to cover other entities.
Reference materials
The following materials are available on the Parliament website www.parliament.gov.sg and CSA website www.csa.gov.sg: