What is Singapore’s Cybersecurity Bill?
Horangi’s summary and advice on the new Cybersecurity Bill for your business
The Singapore Cybersecurity Act 2018, otherwise known as the Cybersecurity Bill, was passed into law by the Singapore Parliament on Monday, February 5th. The bill places the cyber security of local organizations serving within 11 essential services under scrutiny of the Commissioner of the Cyber Security Agency of Singapore (CSA), otherwise referred to as ‘The Commissioner’ within the act. This government official is given enhanced investigatory powers and the authorization to demand for information on suspected cyber attacks that may be a threat to National Security, Defence, Foreign Relations, Economy, Public Health, Public Safety, and the Public Order of Singapore.
In October 2016, Prime Minister Lee Hsien Loong announced Singapore’s Cybersecurity Strategy outlining the nation’s four-pronged approach towards cybersecurity:
- Building a Resilient Infrastructure
- Creating a Safer Cyberspace
- Developing a Vibrant Cybersecurity Ecosystem
- Strengthening International Partnerships
The Singaporean government has since progressed under an undivided focus towards the cyber security industry. This was evident by the issuance of government sponsored scholarships on cybersecurity, the establishment of the Singapore Cybersecurity Consortium, and most notably, the passing of the Cybersecurity Bill.
Who does it affect?
The new bill states that 11 domains of essential services will be bounded by the new law under the First Schedule.They are: Energy, Information Communications, Water, Healthcare, Banking and Finance, Security and Emergency Services, Aviation, Land Transport, Maritime, Government, and Media.
The Second Schedule is designed to ensure that only cyber security service providers that are holding recognized licenses are allowed to provide security services to the greater public. The licensing structure however, has yet to be revealed by the CSA.
How does the incoming Act affect you and your business?
Under the new act, organizations categorized as an essential service will now be required to engage licensed cyber security service providers to secure their Critical Information Infrastructure (CII). This will be accompanied by a compulsory System Compliance Audit once every two years, and concurrently to a Cyber Security Risk Assessment every year.
Given the relative infancy of the passed act, there has yet to be an official definition as to what infrastructures are categorized as CIIs. However, it can be determined that qualification for categorization as a CII would be determinant on the account that said organization's infrastructure is 'necessary for the continuous delivery of an essential service' as outlined in "Part 4: Responding to and Prevention of Cyber Security Incidents; Section 21: Powers to Investigate and Prevent Serious Cybersecurity Incidents; Point 2(b)" of the incoming Cybersecurity Act.
Any failure to comply with regulations outlined in the new act will render the noncompliant organizations accountable to a fine of up to SG$ 100,000 and/or two years in jail.
“Cybersecurity is a team effort, everyone has a part to play, and everyone has to play their part.” Minister-in-charge of Cybersecurity, Dr Yaacob Ibrahim
Singapore is one of the most digitally connected nations within Southeast Asia, and the world. Guided under Singapore Smart Nation Master Plan, the small island nation has witnessed a high adoption of information communication technologies. This progressively increasing adoption rate heightens our vulnerability to cyber threats. Clear evidence of our increased national vulnerability is evident from three major cyber attacks in 2017, namely the MINDEF Cyber Breach, the WannaCry Ransomware, and the Petya Ransomware outbreaks that affected organizations in both private and public sectors, which incurred significant financial losses and operational limitations.
Source: https://www.police.gov.sg/resources/prevent-crime/ransomware (Accessed Feb 12, 2018)
The CSA has since established specialised teams, such as the Singapore Computer Emergency Response Team (SingCERT), to provide businesses with professional expertise and guidance in the instance of a cyber attack. They have also supported non-commercial initiatives to assist victims of cyber attacks in Singapore, such as the “No More Ransom!” initiative by Europol’s European Cybercrime Centre (EC3). You can subscribe for SingCERT’s cybersecurity updates here.
The move towards creating a safer cyber space by the government helps to build a vibrant cyber security community within Singapore. This leads to a higher standard of protection and understanding of cyber security amongst local organizations. This facilitates the cultivation of better capabilities to Protect, Detect, and Respond to cyber security incidents.
Despite the engagement of licensed third party cyber security providers as a requirement under the law, many local corporations and Ministers of Parliament (MPs) have raised concerns regarding the financial feasibility of such requirements.
Within the current cyber security service provider ecosystem, most consultancies are expensive and usually unable to accommodate Small and Medium Sized Enterprises (SMEs). A key advice to help both SMEs and larger corporations to ensure compliance and security in our increasingly turbulent cyber security threat landscape, is to enlist the help of specialized cyber security consultancies with broadly scalable services.
The first steps towards ensuring greater cyber security within Singapore, and the Southeast Asian region is to build partnerships with companies that actually care and have the adaptive solutions to protect your enterprise.