Singapore's proposed cybersecurity bill should put many on notice

Questions remain over the kinds of services that will require a license and government officials' liability, but the proposed legislation is clear in one thing--that cybersecurity must now be a top priority for any business operating critical infrastructures in Singapore.
Written by Eileen Yu, Senior Contributing Editor

Singapore's proposed cybersecurity bill has prompted the need for clarification around the licensing of service providers, government liability, and customer confidentiality, but its aim to push cybersecurity as a top priority for all businesses is certainly now accomplished.

The Singapore government on Monday unveiled details of the draft bill, outlining new legislations that would require operators of local critical information infrastructures (CIIs) to take steps to safeguard their systems and swiftly report threats and incidents. Released by the Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA), the proposed new laws also would facilitate information sharing across critical sectors and require selected service providers as well as individuals to be licensed.

The bill listed 11 "essential services" sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.

So what would organisations need to take note of to ensure compliance?

For a start, businesses in CII sectors would need to appoint a "CII owner", which the bill had identified to be responsible for the protection of CIIs in their organisation, said Daryl Pereira, cybersecurity head at KPMG in Singapore.

The bill defined CII owners as those who had control over the operations of CII infrastructures and the ability to carry out changes to such infrastructures and who were responsible for ensuring "the continuous functioning" of CII Infrastructures.

In the government sector, CII owners would refer to the ministry's permanent secretary, who was responsible for budget approvals related to CII, or the chief executive or equivalent of a statutory body.

Pereira said CII owners would need to ensure their organisation fulfilled its statutory duties, which included reporting cybersecurity incidents to CS, participating in national cybersecurity exercises, and conducting regular audits on CIIs.

In particular, he noted, they should be mindful of the mandate to swiftly report cybersecurity threats and incidents as well as take appropriate actions to reduce further harm to the organisation and wider industry, should the threat have widespread impact.

"The proposed bill provides an impetus for the industry to take ownership of protecting their CII by placing emphasis on the appointment of CII owners at the individual level, rather than at the company level," he explained. "In many cases, the highest ranking person in the organisation may likely be the appointed CII owner."

This would have "far reaching effects" on the how roles and responsibilities within such organisations were designed, he said. "It will drive more visibility of cybersecurity matters at the board and c-suite levels and, ultimately, will increase the investment on cybersecurity readiness across all sectors in Singapore," Pereira said.

Citing KPMG's surveys, he said countries in Europe and US achieved higher cybersecurity readiness when there was appreciation that cyber risk was a business issue and when both business and IT heads assumed joint ownership of such initiatives.

Asked about his thoughts on the proposed bill, Quann's managing director Foo Siang-tse said establishing a national regulatory and licensing regime was a right step forward, particularly in a threat landscape that was increasingly complex.

The local security vendor was unable to reveal the number of CII owners it supported, but confirmed it offered services to various businesses including regulators and owners in the CII sectors.

Foo said the bill "rightfully" placed the responsibility on CII owners to safeguard their cybersecurity, charging them with the duty to conduct key initiatives such as audits and risk assessments.

These would ensure the companies had robust cybersecurity policies, infrastructures, and capabilities, he added, noting that it also scrutinised those that had "skewed market preference" for security devices while neglecting audits and processes.

He noted that professional standards of cybersecurity service providers and personnel would be tightened through certification and code of ethics, background screening, and skills certification. These would further ensure enterprises were well informed and properly protected, he said.

Foo said: "To address the information asymmetry in the market, especially for buyers, cybersecurity service providers should be subject to regulation over misconduct, such as provision of false representations and recommendations made without basis."

CenturyLink's Asia-Pacific vice president of IT services and managed hosting, Francis Thangasamy, concurred: "This bill seems to be with the intent of driving clearer accountability across the industry, consistency across the public and private sectors, and proactive cybersecurity measures."

Asked how many CII operators it supported here, Thangasamy also declined to reveal details. He said the US vendor was still evaluating the bill to determine if it needed to acquire a license, and would do so if required.

Clarity needed on what kind of services will need license

Foo, too, called for more details to be provided about the kinds of services that would be considered under the bill. Noting that Singapore was one of the first few countries in the world to regulate cybersecurity service providers, he said: "Given the wide spectrum of cybersecurity services available in the market, from penetration testing, security monitoring, incident response, to forensics investigation, clarity is needed on what constitutes the two kinds of services, especially non-investigative cybersecurity services."

Under the proposed bill, vendors providing both investigative and non-investigative cybersecurity work would require a license. These included organisations as well as employees that provided penetration testing services and managed security operations centres (SOCs).

The bill outlined investigative services as those that involved "circumventing the controls implemented in another person's computer or computer system" or where people performing the service had "a deep level of access to the computer or computer system, in respect of which the service is being performed, or to test the cybersecurity defences of the computer or computer system".

Investigative services included conducting forensic examination of systems, assessing, testing or evaluating the cybersecurity of systems, and searching for vulnerabilities in systems.

Individuals offering investigative services also would need a license. Failure to obtain one could result in a fine of up to S$50,000 or jail time of up to two years or both. In addition, licensees that failed to comply with any terms and conditions stipulated could face a fine of up to S$10,000 or jail term of up to one year, or both.

Pereira said the move to license these selected vendors and individuals seemed to indicate a desire to improve buyers' assurance on their service providers' capabilities and suitability to offer, what could sometimes be deemed, intrusive cybersecurity services. The licensing approach also would raise the quality bar for all cybersecurity service providers, he added.

When contacted, Fortinet also was unable to reveal how many CII customers it had in Singapore. Its country manager Thiantara Kruathorn, though, confirmed the vendor's clientele here included government agencies, telcos, financial services institutions, healthcare providers, media companies, and utility services providers.

While it would need more time to go through the draft bill, Fortinet believed the new laws--if passed--would significantly improve Singapore's cyber defences. Kruathorn noted, however, that the bill would be just the first step forward and enforcement would be critical.

CSA would have to put in place the right mechanisms to ensure all parties involved adhered to the rules, he said. "As the bill is confined to the jurisdiction of Singapore, the government needs to continue to collaborate with authorities beyond our borders to deal with cybercriminals residing overseas," he noted. "These would include agencies like Interpol and computer emergency response teams (CERTs) in countries around the world.

"This is important because many cybercriminals attacking Singapore interests are not based in this country," he said. "The bill is a work in progress. It must be refined as the business environment and cybersecurity requirements change. Cybersecurity stakeholders need to give the Singapore government, and one another, candid feedback as they work with it in the coming years."

Customer confidentiality must yield to government request

One thing is clear, though. With the CSA empowered to obtain information to ascertain if a system fulfilled the criteria of a CII, organisations impacted by the bill would have to obey such requests, and within "a reasonable period specified in the notice".

Foreign or local vendors affected by the new bill would not be able to cite customer confidentiality when asked to hand over information before or after a security incident, said Bryan Tan, partner at law firm Pinsent Masons, who specialised in technology and telecommunications.

"A legal power to require the production of information trumps client confidentiality," Tan noted. "The question that probably needs clarification, though, is whether legal privilege will still be protected."

Legal privilege protects communications between lawyers and their clients from being disclosed without the prior permission of the client.

Under the proposed bill, CII owners were required to notify CSA of "a significant cybersecurity incident" and "any other type of cybersecurity incident" in respect to their infrastructure and systems connected to the CII.

They also must have the mechanisms and processes to detect cybersecurity threats. CII owners that failed to alert CSA of threat incidents would face a fine of up to S$100,000 or jail term of up to two years, or both.

Tan advised companies providing cybersecurity services to obtain a license and underscored the need for CII owners to be aware of their obligations in order to stay in compliance. These included having their CIIs audited at least once every three years as well as conducting a cybersecurity risk assessment of their CIIs at least once every three years.

These requirements were deemed non-delegable, he said.

In addition, any cybersecurity service providers that had customers in the 11 essential services sectors outlined in the bill could be looking at contract re-negotiations, he noted.

The bill described managed SOC services to include monitoring, assessment, and defence of an organisation's systems for the purpose of preventing, detecting, and responding to cybersecurity threats or incidents. These would include preventing unauthorised access to, modification or, or copying of data stored in or processed by the systems.

It could potentially extend beyond local telcos to include cloud vendors that bundled such services as well as managed security service providers, such as CenturyLink, Fujitsu, IBM, Microsoft, and Alibaba Cloud.

Tan called for clear definitions so those that needed to take action could do so. "The thing about the bill is not so much its implementation, but whether its measures are effective to boost cybersecurity defences," he said.

The lawyer pointed out that the bill was one of the first local legislations to include whistleblower protection.

Asked if the government's exclusion from the country's data protection laws, but inclusion of the public sector as one of the 11 CII sectors, could raise any potential issues, Tan noted that the proposed bill stated that the government would not be liable to prosecution.

However, it indicated that government employees and vendors were subject to liability, he said.

Specifically, the bill stated: "Nothing in this act renders the government liable to prosecution for an offence. For the avoidance of doubt, no person is immune from prosecution for any offence under this act by reason that the person is an employee of or is engaged to provide services to the government."

Tan then probed: "So, the interesting question here is, would an elected official be considered a government employee?"

Because the need to address cyber threats was so urgent, KPMG's Pereira said the bill--in its initial phase--was intended to function alongside Singapore's Personal Data Protection Act (PDPA). This would steer organisations in both the private and public sectors to focus and prioritise efforts in protecting their critical information assets.

"Once the cyber readiness has begun to mature against the common baseline set forth by the cybersecurity bill, it is likely that the MCI [and] CSA will seek to harmonise the overlaps between the Cybersecurity Act and the PDPA," he said.

Asked if CenturyLink anticipated any issues with client confidentiality in the possibility that it might have to share information with CSA, Thangasamy said organisations impacted by the proposed rules already would understand such requirements. He said the vendor recognised "the gravity of customer confidentiality".

"Ideally, there should be an alignment on what's expected from an organisation or the end-user perspective and the managed security services (MSS) provider," he said. "Ultimately, CSA will be ensuring consistency regardless of whether the customer manages their security posture on their own or they decide to work with an MSS provider."

Editorial standards