In a nutshell
On 17 April 2024, the Cyber Security Authority of Singapore (Agency) published its responses to public feedback received on draft amendments to the Cyber Security Act.
This draft amendment to the Cybersecurity Bill (the Bill) has been published as part of a public consultation exercise from 15 December 2023 to 15 January 2024.
Previous posts regarding this consultation can be accessed here.
What kind of feedback have you received from industry on this bill?
The Agency received and considered a total of 55 different proposals consisting of comments and feedback on this bill from critical information infrastructure (CII) owners, industry, and the general public.
There was broad general support for the proposed amendments in this bill, highlighting the shared recognition of the growing importance of cybersecurity and the need for strong regulation in a rapidly expanding digital environment. .
What areas did the industry feedback cover?
Feedback received from industry regarding the proposed amendments to the bill applicable to CII falls into three areas:
- Proposals to regulate CII owners' use of distributed system architectures (such as commercial cloud solutions) or computing vendors would impose legal obligations (directly or indirectly) on providers providing services to CII owners. It will be done.
- CII owners and essential service (PES) providers, as defined in the bill, face potentially higher compliance costs due to increased obligations such as the need to report incidents and obtain legally binding undertakings. There is a possibility.
- How the revised law will be implemented, including the PES designation process and the scope of the Cybersecurity Commissioner's authority to conduct on-site inspections.
How were these issues addressed in the agency response?
Legal Obligations for Third Party Providers Serving CII Owners
CII owners remain primarily responsible for the systems they manage and own.
More specifically, the Agency states that legal obligations under the bill apply to third-party cloud service providers that support CII and third-party cloud service providers that contract with and provide services to designated PESs. clarified that it does not apply to computing vendors.
With respect to virtual computer systems (virtual systems), government agencies will introduce additional provisions in the bill to clarify that they are authorized to:
- Controls the behavior of such virtual systems.
- The right and ability to perform security configuration and management tasks regarding virtual systems, including changes necessary for cybersecurity.
- Responsibility for the security of such virtual systems under contractual arrangements with the cloud provider shall be deemed to be the owner of the virtual system, which is CII. This means that it will be the existing CII owner who controls the CII who will continue to be responsible for such a system after virtualization, rather than the cloud provider.
Increased compliance costs
The Agency will seek to manage the compliance burden of CII owners. This includes developing a practical approach to operationalizing incident reporting.
However, the agency believes that the decision to use CII outsourced from third-party computing vendors is ultimately a commercial one. CII owners can outsource after evaluating the associated costs and benefits. Whether CII is outsourced or owned, government agencies take the position that they need to establish the same level of cybersecurity to address the risk of disruption to the delivery of critical services. Masu. This is especially true given the rapidly evolving tactics of today's advanced persistent threat actors and cybercriminals, who seek to exploit supply chains and other peripheral systems to attack CII.
PES designation and on-site inspection
For security reasons, the agency does not plan to publish a complete list of special cybersecurity entities so designated.
On the question of whether a CII holder can be designated as a PES at the same time, the authorities made it clear that such designation requires a considered process. This includes working closely with all stakeholders to identify potential providers of critical services, as well as ensuring that we properly understand the operating environments and computer systems involved in providing essential services. This includes working closely with sector regulators.
For any on-site inspections that the Agency may conduct under its authority under the Act, the Agency has ensured that sufficient advance notice will be given to CII owners to enable them to prepare in advance of such inspections. .
Final observations
The agency also said it will continue to draw on international best practices and harmonize its approach with Singapore's rules in other areas where it may be relevant. We also plan to conduct further industry consultations on the development of supporting technical and operational codes of practice and incident reporting parameters, as well as the implementation of the amendments proposed in the bill.
