Bill passed to expand scope of Cybersecurity Act 2018 to regulate more entities
14 May 2024
On 7 May 2024, the Cybersecurity (Amendment) Bill (“Bill”) was passed in Parliament. The Bill will update the Cybersecurity Act 2018 (“Act”) so that it keeps pace with developments in the cyber threat landscape, as well as the evolving technological operating context. The Bill will, among other things, update existing provisions in the Act relating to the cybersecurity of critical information infrastructure (“CII”) and introduce new provisions to regulate (i) owners of systems of temporary cybersecurity concern (STCC), (ii) entities of special cybersecurity interest (ESCIs), and (iii) major foundational digital infrastructure (FDI) service providers.
The Bill was introduced in Parliament on 3 April 2024.
Set out below are key provisions of the Bill as well as salient points to note as highlighted by Senior Minister of State for Communications and Information Dr Janil Puthucheary in the Opening Speech for the Second Reading of the Bill.
Adapting to shifts in the operating context
- The Bill will extend the meaning of “computer” and “computer system” in specified portions of the Act to include “virtual computers” and “virtual computer systems”. Currently, the Act’s definitions of “computer” and “computer system” are predicated on them being physical computers that are built out of dedicated physical hardware, such as hard disk drives, memory and processor chips. The new definitions make it clear that the CII owner is responsible for the cybersecurity of its virtualised CII, and not other parties that supply the underlying physical infrastructure.
- The Bill will insert a new Part 3A in the Act which will regulate designated providers of essential services who rely on CII owned by third parties, for the continuous delivery of essential services (such designated provider known as the “provider of an essential service responsible for the cybersecurity of third‑party‑owned critical information infrastructure”). This will deal with situations where a provider of an essential service could leverage a computer system owned by a third party, because it could be more effective or efficient to do so. Before the Commissioner of Cybersecurity (“Commissioner”) can make such a designation, the Commissioner must be satisfied that a third-party-owned CII (whether located in or outside Singapore) is necessary for the continuous delivery of the essential service provided by that provider, and the loss or compromise of the third-party-owned CII will have a debilitating effect on the availability of the essential service in Singapore. Providers of essential services must remain responsible for the cybersecurity and cyber resilience of the computer systems relied upon to deliver essential services they provide. New Part 3A will ensure that they cannot outsource this responsibility, even if they rely on a third party’s computer system for the continuous delivery of the essential service. To be clear, the Cyber Security Agency of Singapore (“CSA”) does not seek to regulate the owners of these systems under Part 3A, who are the third-party vendors. However, the providers of essential services must ensure that the systems they rely on can meet comparable cybersecurity standards and requirements of a CII through legally-binding commitments, such as contracts.
- The Bill will amend the Act to allow CSA to deal with situations where a CII is supporting an essential service from overseas by inserting a new section 7(1A) which will allow CSA to designate and regulate such computer or computer systems that are located wholly outside Singapore as a provider-owned CII under the Act, if the computer or computer system is necessary for the continuous delivery of an essential service and the computer or computer system would have been designated as a provider-owned CII under section 7(1) had it been located wholly or partly in Singapore. Note that the new section 7(1A) will not enable the Commissioner to take any enforcement action outside Singapore.
- The Bill will amend the Act to require CII owners under Part 3 to additionally report to the Commissioner incidents that affect: (i) other computers or computer systems under the control of the provider-owned CII, where the computers or computer systems are not interconnected with and do not communicate with the provider-owned CII, and (ii) computers or computer systems under the control of a supplier to the owner that are interconnected or communicate with the provider-owned CII.
- The Bill will insert a new Part 3B in the Act to regulate computer or computer systems that, for a time-limited period, are at high risk of cyber-attacks, and if compromised would have a serious detrimental effect on Singapore’s national interests (such designated computer or computer systems known as “Systems of Temporary Cybersecurity Concern” (“STCC”)). Before the Commissioner can designate a system as an STCC, the Commissioner must be satisfied that, for a limited period, the system is at a high risk of a cybersecurity threat or incident; and the loss or compromise of the system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. Given that STCCs are critical systems when they are set up, Part 3B will impose on STCC owners cybersecurity obligations similar to those for CII owners, where practicable. Part 3B will allow CSA to be proactive in raising the cybersecurity posture of the STCC, depending on the operating context and the time period for which the STCC is needed.
- The Bill will insert a new Part 3C in the Act to allow CSA to regulate designated entities that could be particularly attractive targets for malicious threat actors, because the entity stores sensitive information in a computer or computer system under its control, or uses a computer or computer system under its control to perform a function which, if disrupted, will have a significant detrimental effect on Singapore’s defence, foreign relations, economy, public health, public safety, or public order (such designated entities known as “Entities of Special Cybersecurity Interest” (“ESCIs”)). The specific list of entities designated as ESCIs will not be disclosed publicly to avoid inadvertently advertising these entities as worthy targets to malicious actors. CSA will be able to issue or approve cybersecurity standards of performance and codes of practice to stipulate the cybersecurity measures that ESCIs should have in place. ESCIs will be required to report prescribed cybersecurity incidents that result in a breach of the availability, confidentiality, or integrity of the entities’ data, or have a significant impact on the business operations of the entities. CSA will also be empowered to issue written directions to ESCIs, if necessary or expedient, for ensuring the cybersecurity of the ESCIs or the effective administration of the Act.
- The Bill will introduce a new Part 3D in the Act to allow CSA to regulate designated major Foundational Digital Infrastructure (“FDI”) service providers. This refers to entities that serve a large number of businesses or organisations. Smaller players, who are more sensitive to regulatory costs, will not be regulated. These major FDI service providers must be providers of FDI services specified in the new Third Schedule. For a start, the Third Schedule will cover cloud computing services and data centre facility services. CSA will be able to issue or approve standards of performance and codes of practice to stipulate to the major FDI service providers that have been designated, the expected cybersecurity practices that should be in place. These major FDI service providers will also be required to report prescribed cybersecurity incidents that (i) result in a disruption or degradation of the designated provider’s FDI service in Singapore, or (ii) have a significant impact on the major FDI service provider’s business operations in Singapore.
- The Bill will insert a new section 35B in the Act to extend the same appeal avenues currently available to those designated as CII owners under the Act to providers of essential services under Part 3A, STCC owners, ESCI, and major FDI service providers that CSA designates.
The proposed scope of the Bill is targeted and affects only providers of essential services, owners of STCCs, ESCI, and major FDI providers. These are a known and finite set, and CSA will be working closely with them. The Bill does not impose cybersecurity obligations on the larger business community.
Strengthening the administration of the Act
- To improve CSA’s ability to enforce the Act against recalcitrant CII owners regulated under Part 3 of the Act, the Bill will amend section 15(4) to empower CSA to inspect the CII if it appears to the Commissioner that the CII owner has not complied with its obligations or has provided information requested under section 10 of the Act that is false, misleading, inaccurate or incomplete.
- The Bill will amend the Act to provide monitoring powers for licensing officers for the purposes of executing Part 5 which regulates persons who provide licensable cybersecurity services. The new provisions will give CSA powers of entry and inspection, and to require the production of records, accounts and documents from licensed cybersecurity service providers. Non-compliance with such requirements without reasonable excuse will be a criminal offence.
- The Act will be amended by the Bill to make it an offence for any person to use CSA’s gazetted symbols or representations without the Commissioner’s prior written permission.
- The Bill will amend the Act to allow the Commissioner to grant an extension of time to any person required to do any action under relevant parts of the Act, as long as the Commissioner is satisfied that there are good reasons to do so.
Revised penalty regime
- The Bill will amend the Act to give the Commissioner the flexibility to bring an action in court for civil penalties with the Public Prosecutor’s consent. In making a recommendation to the Public Prosecutor, CSA will consider a range of factors, including the risks created by the non- compliance, the egregiousness, and the facts of the case. In the current Act, non-compliance with statutory obligations in relation to CII is to be enforced through criminal penalties.
Reference materials
The following materials are available on the Parliament website www.parliament.gov.sg and CSA website www.csa.gov.sg.