2024 Amendments to the Cybersecurity Act 2018

The Cybersecurity Act 2018 (the "Act") first came into force more than 6 years ago to establish a legal framework for the oversight and maintenance of national cyber security in Singapore. As Singapore continues to undergo a nation-wide movement to drive digital transformation both in the public and private sectors, there is an increasing need to update the Act to keep pace with developments in the cyber threat landscape, as well as Singapore's evolving technological operating context. In particular, Dr Janil Puthucheary, Senior Minister of State for Communications and Information ("Dr Janil") noted that since the enactment of the Act in 2018, businesses in Singapore have shifted away from owning and storing their critical information infrastructure on their own premises to using cloud computing and engaging third-party service providers to manage such information.

A Cybersecurity (Amendment) Bill (the "Bill") to amend the Act was first introduced in parliament on 3 April 2024, and was recently passed by parliament on 7 May 2024 during the second reading of the Bill. The Bill aims to enhance Singapore's cybersecurity defenses in response to evolving business and technology models as well as to address the “inventiveness” of malicious cyber actors. Singapore joins many other countries, such as the European Union, Malaysia, the United Kingdom and the US, which have enhanced cyber-security laws to address novel cybersecurity concerns.

The Bill enhances the existing legal framework for the maintenance of national cybersecurity in Singapore, monitoring of Critical Information Infrastructures (“CIIs”) and seeks to expand the oversight of the Cyber Security Agency of Singapore ("CSA").

Key Changes to the 2018 Act

Wider meaning of computer and computer systems

Prior to the Bill, the Act considered CIIs as physical systems. Given that CIIs could now be virtual computer systems in light of technological developments, Clause 3(j) of the Bill extends the meaning of "computer” and “computer system” in specified portions of the Act to include “virtual computers” and “virtual computer systems”. To more accurately reflect the realities of control over such systems, the Bill clarifies the owner of such virtual computers or computer systems to be persons having exclusive control over the operations and security of the CIIs, and not other parties that may supply the underlying physical infrastructure (e.g. data centre providers).

Regulation of providers of essential services who rely on third-party owned CII

Clause 14 of the Bill also introduces new provisions (under a new Part 3A) to regulate providers of essential services who rely on CII owned by third parties for the continuous delivery of essential services. The new provisions ensure that such providers remain responsible for the cybersecurity and cyber resilience of the computer systems relied upon to deliver essential services they provide, even if a third party’s computer system is relied upon for the continuous delivery of the essential service. Amongst other things, providers of essential services who rely on third-party owned CII will be required to obtain legally binding commitments (such as contractual obligations) from such vendors of such third-party owned CII to meet the cybersecurity standards and requirements applicable to CIIs, including but not limited to incident reporting, auditing, and risk assessment. While the Bill does not seek to directly regulate third party vendors of computer systems, these vendors who work with providers of essential services would be required to operate CIIs in a manner that meets the cybersecurity standards and requirements under the amended Act. Essentially, what this means for businesses is that cybersecurity requirements will apply equally down the supply chain, wherever the risk of digitally disruptions to essential services lie.

Updates to CII-related provisions to report a wider range of cybersecurity incidents

To address the inventiveness of malicious cyber actors, the Bill also requires the reporting of a wider range of cybersecurity incidents. Under the Act, a CII owner is generally only obliged to report cybersecurity incidents relating to the CII, or computers or computer systems that are interconnected with or communicate with the CII. Clause 12 of the Bill amends the Act to require CII owners under Part 3 to additionally report incidents that affect: (i) other computers under the owner’s control, and (ii) computers under the control of a supplier that are interconnected with or communicates with the CII, insofar as the CII is owned by the provider of essential service.

These changes are intended to enable proactive steps to be taken to protect CIIs in the event of attacks on adjacent systems or if CII owners’ immediate suppliers are compromised, to pre-empt potential disruptions to essential services.

Regulation of new systems and entities

In addition to the above, the Bill introduces the following three new classes of regulated systems/entities, even if such systems or the systems used by such entities are not designated as CII under section 7 or the new section 16A of the amended Act. These regulated entities/systems are to be designated by the Commissioner of Cybersecurity at CSA ("Commissioner") by written notice.

1. Systems of Temporary Cybersecurity Concern ("STCCs"): STCCs are systems that, for a time-limited or temporary period, are at high risk of cyberattacks, and if compromised, would damage Singapore’s national interests.¹ Examples include pandemic vaccine distribution and high-profile international events such as the Youth Olympics Games.

    

2. Entities of Special Cybersecurity Interest ("ESCIs"): ESCIs are entities that store sensitive information, or uses a system which if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore.²

    

3. Major Foundational Digital Infrastructure service providers ("FDIs"): FDIs are entities that serve a large number of businesses or organisations in providing services which promote the availability, latency, throughput, or security of digital services.³ The amended Act specifies cloud computing and data center facility services as foundational digital infrastructure services.⁴

Dr Janil stated during his opening speech during the second reading of the Bill that designated ESCIs will not be disclosed publicly due to security reasons, to avoid inadvertently advertising these entities as “worthy targets” to malicious actors. Companies will be able to appeal against the written notice of their designation as ESCIs, STCCs or FDIs under the amended Act.⁵ Designation as a ESCI or a FDI takes effect for a default of 5 years,⁶ although the Commissioner may apply to withdraw⁷ and extend⁸ the duration of designation. The designation as STCC takes effect for 1 year.

Companies who become designated as ESCIs, STCCs or FDIs under the amended Act are subject to various duties relating to cybersecurity set out in a new Part 3B, 3C and 3D in the amended Act. Amongst other things, the Commissioner is empowered to require designated ESCIs, STCCs or FDIs to furnish information on their computer systems including information on the design, configuration and security of such systems.

Under the new provisions, the Commissioner is also empowered to issue written directions to designated ESCI, FDIs and STCCs relating to various matters, including the following:

1. the actions to be taken in relation to cybersecurity threats;
2. compliance with technical standards, codes of practice and standards of performance applicable to the designated entities; as well as
3. the appointment of an approved auditor to audit designated entities on their compliance with the Act or any applicable code of practice and standard of performance.⁹

Designated ESCIs, FDIs and STCCs are also required under the new provisions to report prescribed cybersecurity incidents.¹⁰ As an example, a designed ESCI is required to report cybersecurity incidents which result in a breach in the availability, confidentiality, or integrity of the entity's data or has a significant impact on the business operations of the entity. STCC owners are under a further duty to report not only incidents in respect of their own STCC, but also any computer system that is interconnected or in communication with the STCC, or is under the control of a related supplier.¹¹ Designated ESCIs, FDIs and STCCs should expect to have to establish adequate mechanisms and processes to detect cybersecurity threats and incidents in respect of their systems to be prescribed in applicable code of practices.

While the criminal penalties prescribed under the Act for non-compliance generally involves a fine of up to $100,000 or to imprisonment for a term not exceeding 2 years or to both, the penalties prescribed for offences relating to designated ESCIs and FDIs are higher, with such offences attracting a fine of up to the greater of S$200,000 or 10% of annual turnover in Singapore. Continued non-compliance with certain duties under the new provisions could also entail a fine of $5,000 per day (or part thereof) during which the offence continues after conviction. Clause 20 of the Bill amends the existing criminal penalties by introducing new sections 37A to 37D to the Act that will give the Commissioner the flexibility, with the Public Prosecutor's consent, to bring an action in court for civil penalties in respect of contraventions that are punishable as criminal offences.¹²

Conclusion

Moving forward, providers of essential services who engage third-party service providers to manage their CII should familiarize themselves with their newly added responsibilities under the new provisions, and review whether their contracts with vendors comply with the requirements to be introduced. Both owners and operators of computer systems should also keep up to date with the new categories of regulated entities prescribed under the Bill and prepare to comply with written directions and codes of practices to be issued by CSA in due course if they become designated as such. When the amended Act eventually comes into effect (no date has yet been announced), entities that become designated as ESCI, FDIs and STCCs should also review their processes to ensure that they have established adequate processes to detect cybersecurity threats and incidents.