On 10 July 2017, the Cyber Security Agency of Singapore ("CSA") released a draft Cybersecurity Bill for public consultation. The Bill's four main objectives are:
Each of these objectives will be discussed in brief below.
Regulation of critical information infrastructure owners
"Critical information infrastructure" or "CII" is broadly defined as "a computer or computer system that is necessary for the continuous delivery of essential services … the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore".
"Essential services" is focused on 11 critical sectors: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
If a particular computer or computer system is designated as a CII by the Commissioner for Cybersecurity, then the CII would have the following general obligations:
Giving the CSA the necessary powers
In addition to issuing codes of practice, standards of performance or written directions that the CIIs will be audited against (as mentioned above), the CSA would be granted powers to both prevent and investigate cybersecurity incidents.
Such powers would not be limited to critical information infrastructure, but in respect of any computer or computer systems generally in Singapore. These powers are broad and allow the Commissioner to examine any person, enter any premises to access the relevant computer system and direct any person to carry out remedial measures and assist in investigations.
All information provided to the Commissioner will be kept confidential by the Commissioner and the identity of any informers will be protected.
Cybersecurity providers will need to obtain a licence from the CSA to continue to provide any service that is "intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person".
There are two types of licenses available:
Notably this licensing regime does not apply where investigative or non-investigative cybersecurity services are provided in-house (i.e. if someone is employed by an organisation to provide these types of services to that organisation (and not anyone else), that person and that organisation do not have to obtain a licence).
In addition to fines and jail terms that may be imposed on individuals and organisations that operate without the appropriate licences, unlicensed providers will not be entitled to commence proceedings to recover any commission, fee, gain or reward for services provided during the period in which the provider did not have the appropriate licence. That is quite an incentive to ensure that appropriate licenses are obtained and maintained.
The consultation period of the Bill closes on 3 August 2017. In the meantime, Cybersecurity providers are encouraged to self-assess to determine whether they would be required to be licenced under the new regime.This article is produced by our Singapore office, Bird & Bird ATMD LLP, and does not constitute legal advice. It is intended to provide general information only. Please contact our lawyers if you have any specific queries.