Singapore Progresses Towards Amended Cybersecurity Law

Singapore Progresses Towards Amended Cybersecurity Law
Friday, April 19, 2024

In a Nutshell

On 17 April 2024, the Cybersecurity Agency of Singapore (Agency) issued a response to public feedback received on a draft amendment to its cybersecurity law.

This draft amendment of the Cybersecurity Bill (Bill) was published as part of a public consultation exercise from 15 December 2023 to 15 January 2024.

Our earlier post about this consultation can be accessed here.

What Was the Industry Feedback Received on the Bill?

The Agency received and considered a total of 55 different submissions comprised of comments and feedback on the Bill from critical information infrastructure (CII) owners, the industry and the public at large.

There was general widespread support for the revisions proposed in the Bill, which underscores a common recognition of the heightened importance of cybersecurity and the need for robust regulation in a fast-expanding digital landscape.

What Areas Did the Industry Feedback Cover?

With regards to proposed amendments in the Bill applicable to CII, the feedback received from the industry fell into the following three areas:

  1. Whether the proposals to regulate CII owners’ use of distributed system architecture (e.g. commercial cloud solutions) or computing vendors would create statutory obligations (directly or indirectly) for these providers serving the CII owners.
  2. The potentially higher compliance costs faced by CII owners and Providers of Essential Services (PES) as defined in the Bill, due to their increased obligations including incident reporting and the need to obtain legally binding commitments.
  3. How the amended act will be operationalised, including the designation process for PES and the scope of the Commissioner of Cybersecurity’s powers to conduct on-site inspections.

How Were These Issues Addressed in the Agency’s Response?

Statutory Obligations for Third-party Providers Serving CII Owners

CII owners will continue to be primarily responsible for the systems they control and own.

More specifically, the Agency clarified that the statutory obligations under the Bill will not extend to third-party cloud service providers supporting the CII, nor to third-party computing vendors engaged by and delivering services to a designated PES.

In respect of virtual computer systems (Virtual Systems), the Agency will introduce additional provisions in the Bill to clarify that it is the person who has:

  • Control over the operations of such Virtual Systems.
  • The right and ability to perform security configuration and management tasks in respect of such Virtual Systems, including to make any modification as necessary for its cybersecurity.
  • Responsibility for the security of such Virtual Systems under a person’s contractual arrangement with a cloud provider, who will be considered the owner of the Virtual Systems that is CII. This means that it will be the existing CII owner, who has control over said CII, that will continue to be responsible for such system even after virtualisation, and not the cloud provider.   

Increased Compliance Costs

The Agency will work to manage the compliance burden of CII owners. This will include developing a pragmatic approach to operationalising incident reporting.

However, the Agency considers that any decision to use an outsourced CII from a third-party computing vendor is ultimately a commercial one. It is open to CII owners to outsource after assessing the costs and benefits involved. Regardless of whether CII is outsourced or owned, the Agency takes the position that the same level of cybersecurity must be established to address disruption risks to the delivery of essential services. This is especially so given the fast-evolving tactics of advanced persistent threat actors and cybercriminals today, looking to exploit supply chains and other peripheral systems to attack CII. 

PES Designation and On-site Inspections

Due to security reasons, the Agency does not intend to publish the full list of special cybersecurity entities which are to be designated as such.

On the issue of whether a CII owner can be concurrently designated as a PES, the Agency clarified that such designations would involve a considered process. This will include working closely with all parties concerned to identify potential providers of essential services, as well as any sectoral regulator to properly understand the operating environment, and computer systems involved in the delivery of essential services.

For on-site inspections that may be conducted by the Agency pursuant to its powers under the Bill, the Agency assured that ample prior notice will be given to enable CII owners to prepare ahead of such inspections.

Concluding Observations
The Agency also stated that it will continue to take reference from international best practices as well as to harmonise its approach with any other sectoral rules in Singapore, as may be relevant. It will also conduct further industry consultations on the development of subsidiary technical and operational codes of practice, and incident reporting parameters, as well as on the implementation of the proposed amendments in the Bill.

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC