(1.1) On 7 May 2024, the Singapore Parliament passed the Cybersecurity (Amendment) Bill (No. 15/2024) (CS Bill), which seeks to amend the Cybersecurity Act 2018 (CS Act).

(1.2) The changes introduced by the CS Act came after a review by the Cyber Security Agency of Singapore (CSA), which culminated in a public consultation on a draft CS Bill that took place between 15 December 2023 and 15 January 2024. Our earlier post discussing the proposed amendments to the draft CS Bill following its public consultation can be accessed here.

(1.3) We discuss the impact of the CS Bill and its changes below.

Content

2. Background

(2.1) The CS Act was first enacted in 2018. At the time, the focus of the CS Act was to regulate critical information infrastructure1 (CII) and establish a legal framework to oversee national cybersecurity in Singapore.

(2.2) Since then, there have been significant changes to the cybersecurity risk landscape and technology operating environment. Therefore, the objective of the CS Bill is to update the CS Act to keep pace with the evolving risks as well as reflect the increasing importance of ensuring the security of digital infrastructure and services powering Singapore’s digital economy, beyond just CIIs.

3. Summary of Changes

(3.1) In summary, the CS Bill introduces the following key changes to the CS Act:

  1. Updating of CII-related provisions under the CS Act to account for changes in technology and business models to include virtual systems and CIIs located overseas.
  2. Expanding the scope of cyber incidents reportable by CII owners to the CSA.
  3. Expanding the scope of the CS Act to include owners of systems of temporary cybersecurity concern (STCC); entities of special cybersecurity interest (ESCI); and providers of major foundational digital infrastructure services (FDI).
  4. Enhancing administrative powers and the penalty regime.

Updating of CII-related provisions

(3.2) At present, the CS Act primarily imposes obligations on CII owners. This regulatory approach reflects the business norm when the CS Act was enacted in 2018 where providers of essential services (PES) owned and operated the CII necessary for the delivery of essential services.

(3.3) To account for changes in the technology operating environment, the CS Act has been updated with new definitions of “computer” and “computer system”, as well as a new Part 3A to regulate PES that rely on third-party owned CII.

Updating definitions of “computer” and “computer system”

(3.4) At present, the definitions of “computer” and “computer system” were based on the premise that such devices and systems were physical computers built out of dedicated hardware, such as hard disk drives, memory and processor chips.2 This is because the prevailing norm at the time of enactment of the CS Act envisaged CIIs as physical systems. However, the use of virtualisation and cloud computing technologies surged since 2018 and it is now possible for a CII to be based on a virtual computing system. Definitions of “computer” and “computing system” focused on regulating physical hardware (which could be easily replaced or shared in a virtual computing system) are therefore out of step with such virtual computing systems.

(3.5) Accordingly, the relevant definitions of “computer” and “computer system” in the CS Act will be updated to include “virtual computers” and “virtual computer systems”.3 Additionally, provisions clarifying what “ownership” means in relation to “virtual computers” and “virtual computing systems” have been included. These changes allow the CS Act to regulate both physical and virtual CIIs. This new definition also clarifies that a CII owner is responsible for the cybersecurity of their virtual CII, not third-party vendors that supply the underlying physical infrastructure.4

(3.6) In addition, the CS Act has been amended to designate and regulate CIIs located overseas that support an essential service in Singapore.5 This applies if its owner is in Singapore and the computer system would have been designated as a CII had it been located wholly or partly in Singapore.

New Part 3A – regulating PES that rely on third-party owned CII

(3.7) Part 3A of the CS Act will extend regulatory powers over PES that rely on third-party owned CII for the continuous delivery of a given essential service.6 This will allow PES to leverage efficiencies and effectiveness of such computer systems operated by third parties, who may have greater expertise or cost-effectiveness in operating such systems, due to demand aggregation.

(3.8) Under the new Part 3A, PES will remain responsible for the cybersecurity and cyber resilience of the computer systems relied upon to provide the essential services. This makes clear that PES cannot outsource their responsibility to third-party vendors in reliance of their computer systems.

(3.9) In this regard, the Senior Minister of State for Communications and Information, Janil Puthucheary, clarified during the Second Reading of the CS Bill that while the new Part 3A of the CS Act does not seek to regulate the third-party owners of these systems used by PES, such PES must ensure that the systems they rely on meet comparable cybersecurity standards and requirements of a CII through legally binding commitments, such as contractual provisions.7

Expanding the scope of cyber incidents reportable by CII owners to the CSA

(3.10) At present, a CII owner is generally required to report to the CSA cyber incidents relating to the CII, or computers or computer systems that are interconnected with or communicate with the CII.

(3.11) To counter the evolving tactics of threat actors targeting systems at the periphery or supply chains to attack CIIs, the CS Act will now require CII owners to additionally report incidents that affect: (a) other computers under the CII owner’s control; and (b) computers under the control of a supplier that are interconnected with or communicates with the CII.8

Expanding the scope of the CS Act to include STCC, ESCI and FDI

(3.12) Apart from regulatory changes in relation to CIIs, the CS Act has now been expanded to regulate STCC, ESCI and FDI.

  1. Under the new Part 3B, the CSA will be able to designate and regulate STCCs, which are designated systems that, for a time limited period, are at high risk of cyber-attacks and would have a serious detrimental effect on Singapore’s national interests if compromised.
  2. Under the new Part 3C, the CSA will be able to designate and regulate ESCIs, which are particularly attractive targets for malicious threat actors, either due to the disruption of the function they perform, or due to the fact that the disclosure of sensitive information held in their computer systems will likely have a significant detrimental effect on Singapore’s defence, foreign relations, economy, public safety or public order. In this regard, it was clarified during the Second Reading of the CS Bill that no specific list of designated ESCIs will be disclosed to avoid inadvertent advertising of these entities to threat actors.9
  3. Under the new Part 3D, the CSA will be able to designate and regulate major providers of FDI, which refers to entities that serve large numbers of businesses or organisations. This would safeguard against the risk of widespread disruption or deterioration of activities that rely on or are enabled by FDI services. The list of providers of FDI services are specified in the new Third Schedule to the CS Act, which as a start, will include cloud computing services and data centre facility services.10 Additional FDI services may be included in the Third Schedule to the CS Act as new types of digital infrastructure emerge and grow in importance to Singapore’s needs.

Enhancing administrative powers and the penalty regime

(3.13) The administrative powers of the Commissioner of Cybersecurity (Commissioner) will be enhanced to address non-compliance of the CS Act. For instance, the Commissioner will be empowered to conduct on-site inspections of CII owners if it appears to the Commissioner that a CII owner failed to meet compliance requirements or has submitted false, misleading, inaccurate or incomplete information.11 The Commissioner can also grant a time extension to any person required to do any relevant action under the CS Act, provided there are good reasons to do so.12

(3.14) To improve CSA’s ability to monitor and supervise persons who provide licensable cybersecurity services under Part 5 of the CS Act, the CS Act will now provide monitoring powers for licensing officers under the provisions of a new section 29A. The new provisions give the CSA powers to enter and inspect premises, request records, and make inquiries to ensure compliance.

(3.15) Presently, non-compliance with the statutory obligations in relation to CII is enforced through criminal penalties. To provide the CSA with a wider toolkit to secure compliance with the CS Act (especially given the broader set of obligations introduced), sections 37A to 37D of the CS Act will give the Commissioner flexibility to, with the Public Prosecutor’s consent, bring a civil action in court for civil penalties instead of criminal enforcement.13 Depending on provisions contravened, such civil penalties could range from a sum not exceeding S$100,000 to 10% of the annual turnover of the person’s business in Singapore.14

 

4. Key Takeaways and Conclusion

(4.1) Changes to the CS Act have significant implications for Singapore’s evolving cybersecurity landscape. Among other things:

  1. Adoption of new technologies and business models by CII owners and PES: The changes to the CII regulatory approach will enable CII owners and PES to benefit from advances in virtual and cloud computing, which will, ideally, improve the delivery of essential services in Singapore.
  2. Increased Regulatory Oversight: The new designations, namely, FDI, ESCI and STCC entities, increase the scope and powers of the CSA to provide regulatory oversight of the cybersecurity approach of these entities and take enforcement action for non-compliance.
  3. Stricter Cybersecurity Standards: More stringent cybersecurity requirements will apply across the wider range of regulated entities, with penalties for non-compliance to be set out in subsidiary legislation.
  4. Enhanced Incident Reporting Regime: Reporting obligations for cyber security incidents will expand beyond CII systems under the direct control of owners or service providers, to additionally report incidents that affect: (a) other computers under the CII owner’s control; and (b) computers under the control of a supplier that are interconnected with or communicates with the CII.
  5. Increased Supply Chain Scrutiny: The expansion of regulatory oversight is likely to lead to further scrutiny over cybersecurity supply chains, as a result of more stringent requirements being imposed downstream by entities regulated by the CSA.

Footnotes

1   Under section 7(1) of the Cybersecurity Act 2018 (CS Act), critical information infrastructures are computers or computer systems designated by the Commissioner as necessary for the continuous delivery of essential services in Singapore.

2   Under section 2 of the CS Act, a “computer” means “an electronic, magnetic, optical, electrochemical, or other data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include such device as the Minister may, by notification in the Gazette, prescribe”. A “computer system” means “an arrangement of interconnected computers that is designed to perform one or more specific functions, and includes: (a) an information technology system; and (b) an operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system."

3   Cybersecurity (Amendment) Bill (CS Bill), clause 3(j). (the amended CS Act, section 2)

5   CS Bill, clause 8. (the amended CS Act, section 7(1A))

6   CS Bill, clause 14. (the amended CS Act, Part 3A)

8   CS Bill, clause 12. (the amended CS Act, section 14)

10   CS Bill, clause 30. (the amended CS Act, Third Schedule).

11   CS Bill, clause 13(b). (the amended CS Act, section 15(4)) See also, Opening Speech for Second Reading of Cybersecurity (Amendment) Bill by SMS Janil Puthucheary (csa.gov.sg) at para 18(a).

12   CS Bill, clause 22. (the amended CS Act, section 41A)

13   CS Bill, clause 20. (the amended CS Act, sections 37A – 37D)

14   CS Bill, clause 20. (the amended CS Act, section 37A(2))



Contacts

Wilson Ang
Wilson Ang
Partner
Email
wilson.ang@nortonrosefulbright.com
T: +65 63095392
Jeremy Lua
Jeremy Lua
Senior Associate
Email
jeremy.lua@nortonrosefulbright.com
T: +65 63095336

Practice area:

Recent publications

Court building's stone pillars viewed from below

Publication

ECJ confirms public tenders’ restrictions for companies from third countries with no procurement agreement with the EU

EU Member States may allow companies from countries that have not concluded an agreement guaranteeing equal and reciprocal access to public procurement (public procurement agreement) with the EU to participate in public tenders, provided there is no EU act excluding the relevant country.

Global | November 15, 2024

Antitrust and competition
Cricket ball resting on a cricket bat on green grass of cricket pitch

Publication

Has the Budget finally levelled the playing field for UK Islamic finance?

Cricket players will tell you that whether a pitch is easy to bat on is not dictated by how much the balls bounce or turn, but rather, whether they do so consistently.

United Kingdom | November 15, 2024

Islamic finance

Publication

Ireland

On 31 October 2023, the Screening of Third Country Transactions Act 2023 (the “Act”), which establishes a new foreign direct investment ("FDI") screening regime in Ireland, was enacted.

Global | November 13, 2024

Antitrust and competition
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now