Singapore expands the scope of the Cybersecurity Act

Introduction

On 7 May 2024, the Singapore Parliament passed the Cybersecurity (Amendment) Bill No.15/2024 ("Bill") to introduce key amendments to its Singapore Cybersecurity Act 2018 ("Cybersecurity Act"). The Bill grants the Cyber Security Agency of Singapore ("CSA") greater powers and broadens the Cybersecurity Act's scope beyond owners of critical information infrastructure ("CII"), which are computer systems directly involved in the provision of essential services. The CII sectors are energy, water, banking and finance, healthcare, transport (which includes land, maritime, and aviation), infocomm, media, security and emergency services, and government.

The Bill aims to address evolving cybersecurity challenges brought by, amongst other things, the rise of cloud computing. The original provisions of the Cybersecurity Act only regulate self-owned CII computer systems, but increasingly CII computer systems are hosted on cloud platforms, necessitating regulation for third-party-owned CII computer systems as well. Furthermore, threat actors increasingly target vendors and supply chains of organisations, as demonstrated by the SolarWinds supply chain attack a few years ago. The increased digital integration into daily life has also expanded the "attack surface", leaving residents and businesses exposed to greater cybersecurity risks.

Key amendments to the Cybersecurity Act

1. Regulate both physical and virtual CII systems

The Bill broadens the scope of the Cybersecurity Act by encompassing virtual CII computer systems. By clarifying that "computer" and "computer system" include virtual structures such as CII in a cloud environment, those changes ensure that CII owners are responsible for the cybersecurity of their systems, whether physical or virtual.

A new section has been added to the Cybersecurity Act to ensure that the CII owners, not third-party CII vendors, remain accountable for their cybersecurity obligations for external systems provided by third party vendors. CII owners must establish legally binding commitments such as contracts to ensure their vendors' systems meet comparable cybersecurity standards.

2. Regulate CII owners supporting an essential service from overseas

The original Cybersecurity Act only allows CSA to designate computer systems as CII if they are entirely or partially located in Singapore. The new amendments will enable CSA to regulate computer systems wholly located outside Singapore if (i) the owner of such computer systems is in Singapore; and (ii) such computer systems would have been designated as CIIs had they been located in Singapore.

3. Manage CII owners' supply chain risks

Under the original Cybersecurity Act, a CII owner is generally only obliged to report cybersecurity incidents affecting computers or computer systems that are interconnected with or communicate with the CII. The new amendments will require CII owners to additionally report incidents that affect: (i) other computers or computer systems which are under the control of the CII owner, even if they are not interconnected with or communicate with the CII; and (ii) computers which are under the control of an external supplier if such computers are interconnected with or communicate with the CII owners' CII.

The first requirement aims to address cybersecurity incidents similar to the SolarWinds supply chain attack, while the second requirement facilitates early intervention if systems provided by external suppliers are compromised. Notably, the requirement to report on incidents affecting external suppliers will apply only if the CII is owned by the CII owner. This approach is practical because CII owners using third-party-owned CIIs often lack sufficient visibility into their external suppliers to meet reporting obligations.

4. Entities other than CII owners will also be subject to the CSA

The Bill expands the scope of the Cybersecurity Act to cover three new types of entities in addition to CII owners:

• Systems of Temporary Cybersecurity Concern ("STCC") are high-risk temporary systems that, if compromised, would seriously harm national interests. STCC cover systems which are critical to crisis response or supporting major international events, such as those used to support the distribution of critical vaccines during COVID.
• Entities of Special Cybersecurity Interest ("ESCIs") are organisations handling sensitive information impacting national interests (eg entities that could be particularly attractive targets for malicious threat actors, because the disruption of the function they perform, or the disclosure of sensitive information contained in their computer systems, will have a significant detrimental effect on Singapore's defence, foreign relations, economy, public health, public safety, or public order). For example, ESCIs would potentially include universities or selected financial institutions. While the list of designated ESCIs will not be published for security reasons, CSA will engage with entities before designating them as such.
• Providers of "Foundational Digital Infrastructure Service"("FDIS") are providers essential to the functioning of the digital economy, enabling the day-to-day needs of the citizens. The list of FDIS providers has been specified in a new Third Schedule, which currently covers cloud computing and data centre services. The list can be expanded to cover new types of digital infrastructure in the future.

5. Amplified Regulatory Powers

The Bill enhances CSA's regulatory powers, including powers to:

• inspect CIIs if their owners fail to meet their obligations or if they provide inaccurate information;
• conduct inspections and require documentation from providers of licensable cybersecurity services to ensure compliance with licensing conditions; and
• extend compliance deadlines for valid reasons.

As regards enforcement of the Cybersecurity Act, a new civil penalty regime has been introduced for contraventions of specific parts of the Cybersecurity Act (in addition to criminal penalties under the current Cybersecurity Act). The Bill enables the Commissioner of Cybersecurity, with the Public Prosecutor's consent, to bring an action in courts against a person who has contravened specific parts of the Cybersecurity Act to seek an order for a civil penalty in lieu of prosecution. Penalties can reach up to 10% of the annual turnover of such person in Singapore or SGD$500,000, whichever is higher.

Our observations

The new amendments to the Cybersecurity Act grant CSA broader authority to enhance Singapore's cybersecurity resilience and preparedness to tackle cyber attacks. To navigate the evolving cybersecurity regulatory landscape in Singapore, businesses must understand the implications of the Cybersecurity Act on their operations. For example, they can be directly subject to the Cybersecurity Act and/or will face auditing and more stringent cybersecurity requirements imposed by their business counterparts or customers via contracts or other means.