The Cybersecurity (Amendment) Bill was passed by the Singapore Parliament on 7 May 2024. The passage of such legislation is essential to Singapore's cybersecurity landscape and continued progress as a digitally advanced nation. In this short article, we have summarized the main points of the Cybersecurity (Amendment) Bill:
1. Who does the Cybersecurity Act affect?
Currently, the Cybersecurity Act is a critical information infrastructure (“CII) located in whole or in part in Singapore.
Going forward, once the amendments under the Cybersecurity (Amendment) Bill come into force, the Cybersecurity Act will apply to CIIs that are owners of systems with temporary cybersecurity concerns ('STCC”), entities with a special interest in cybersecurity (”ESCI”) and underlying digital infrastructure service providers (“FDI”).
2. How will this amendment affect CII?
CII is a critical computer system required to continuously provide essential services in Singapore. The loss or compromise of such computer systems could affect the availability of the relevant essential services in Singapore. Examples of CII include essential services such as public supplies and banking services. The list of CII owners is not publicly available.
Fixes that affect CII include:
a.Protect both physical and virtual CII systems
Currently, cybersecurity laws only protect physical CII systems. In the future, it will be extended to virtual CII systems, including cloud computing systems.
b. Increased liability regulations for critical service providers that use CII owned by third parties
This amendment ensures that critical service providers are held accountable for third-party owned CII to meet the necessary cybersecurity standards and requirements.
c. Extends to CIIs located entirely overseas.
Currently, the Cybersecurity Act only covers CIIs located in whole or in part in Singapore. In the future, this will also apply to CIIs located outside Singapore.
d. Expanding the list of reportable cybersecurity incidents
Currently, CII owners are only required to report cybersecurity incidents related to CII or computers or computer systems that interconnect or communicate with CII. This amendment allows CII owners to report additional incidents that affect (i) other computers under the owner's control, and (ii) computers under the control of suppliers that interconnect or communicate with CII. You are required to do so.
3. How will this amendment affect STCC?
STCC is a computer system located in whole or in part in Singapore, is critical to Singapore for a limited period of time, is at high risk of cybersecurity attack, and the loss or breach of such system could be a threat to national security, defence, foreign may have a negative impact. Singapore's relations, economy, public health, security, and security.
Fixes that affect STCC include:
a. STCC regulations
The amendments will enable the relevant regulator (Singapore Cybersecurity Authority) to regulate STCC and STCC cybersecurity. This includes authorizing the Singapore Cybersecurity Authority to issue written directions to STCCs and to grant and withdraw designations of STCCs.
b. Obligation to report cybersecurity incidents
The STCC has a duty to report certain prescribed cybersecurity incidents to the Singapore Cyber Security Authority.
c. Requirements for establishing mechanisms and processes
STCC owners must establish mechanisms and processes to detect cybersecurity threats and incidents.
4. How will this amendment affect ESCI?
ESCI is an entity that stores classified information on computer systems under the entity's control, or that uses computer systems under the entity's control that, if disrupted, would be critical to national defense, foreign relations, the economy, or public health. An entity that performs a function that has an adverse effect. Public safety or security in Singapore.
The fixes that affect ESCI are:
a. ESCI regulations
The amendments will allow the Cyber Security Authority of Singapore to regulate ESCI. This includes authorizing the Cyber Security Authority of Singapore to issue written directions to ESCI and to grant and revoke ESCI's designation.
b. Obligation to report cybersecurity incidents
ESCI has an obligation to report certain prescribed cybersecurity incidents to the Cyber Security Authority of Singapore if they result in a breach of the availability, confidentiality or integrity of corporate data or have a material impact on the business operations of the company. there is.
c. Requirements for establishing mechanisms and processes
ESCIs must establish mechanisms and processes for detecting cybersecurity threats and incidents with respect to systems of particular concern to cybersecurity, as set out in the applicable Code of Practice.
5. How will this amendment affect FDI?
FDI is a computer system that is necessary for the continued provision of essential digital infrastructure services provided to Singapore residents from within or outside Singapore (in whole or in part) and is subject to loss of provision of such services or Impairment is more likely to be the cause. disruption or deterioration of the operations of a large number of companies and organizations in Singapore that are dependent on such FDI; Examples of FDI include cloud service providers and data center operators.
The amendments affecting FDI are:
a. FDI regulation
The amendments will allow the Cyber Security Authority of Singapore to regulate FDI service providers. This includes authorizing the Cyber Security Authority of Singapore to issue written directions to FDI service providers and to grant and withdraw designation of FDI service providers.
b. Obligation to report cybersecurity incidents
FDI service providers are required to report certain prescribed cybersecurity incidents to the Cybersecurity Authority of Singapore, including incidents that disrupt or degrade the continued provision of FDI in Singapore for a designated period of time, and are required to report certain prescribed cybersecurity incidents to the Singapore Cybersecurity Authority if the incident This may occur. has a significant impact on the business operations of his FDI service provider in Singapore.
c. Requirements for establishing mechanisms and processes
FDI service providers must establish mechanisms and processes to detect cybersecurity threats and incidents related to FDI, as set out in the applicable Code of Practice.
6. Closing words
With digital technology being an integral part of business growth and our daily lives, there is no doubt that cybersecurity threats continue to increase, not only in Singapore but around the world. As Singapore continues to progress as a digitally secure and tech-savvy nation, the Cybersecurity (Amendment) Bill will not only strengthen the existing cybersecurity environment but also increase user confidence in using online services in Singapore. This brings great advantages to Singapore.
Going forward, CIIs, STCCs, ESCIs and FDIs will need to review their processes and policies to ensure they are legally compliant with the Cybersecurity Act once the amendments under the Cybersecurity (Amendment) Bill come into force .
If you have any questions about the Cybersecurity (Amendment) Bill and how it affects you, please feel free to contact the author of this article. We will be happy to assist you.