Singapore is taking steps to ramp up cybersecurity, with increased regulation and oversight.
Singapore’s parliament recently updated its Cybersecurity Act, widening the scope of critical systems covered and increasing regulatory oversight to strengthen essential digital infrastructure and guard against evolving cyber threats to the country’s security, economy, and public services.
The island nation first enacted the Cybersecurity Act in 2018 to regulate critical information infrastructure (CII) and establish a national framework for cybersecurity. Since then, rapid technological changes and a shifting threat landscape have driven the need for reforms.
Following a review by the Cyber Security Agency of Singapore (CSA) and public consultation on a draft bill between December 2023 and January 2024, parliament passed the Cybersecurity (Amendment) Bill on May 7 this year to broaden protections for Singapore’s digital economy and infrastructure.
The new move introduces several expansions to the Act’s scope and oversight powers.
As aggregation and sharing of digital services across borders become increasingly common, the definition of CII will be updated to incorporate virtual systems and CIIs located overseas.
This may include “a multinational company that provides essential services in Singapore by relying on its computer systems overseas or on system infrastructure owned by a third-party vendor or affiliate,” say Lim Chong Kin and Anastasia Su-Anne Chen of Drew & Napier.
Lim is managing director of the firm’s Corporate & Finance practice group and head of the Data Protection, Privacy and Cybersecurity group, while Chen is a director in the latter practice group. Lim was recently named as Southeast Asia Data Privacy and Protection Lawyer of the Year at the ALB SE Asia Law Awards 2024.
Most notably, the act will regulate new categories of critical digital assets, including owners of systems of temporary cybersecurity concern (STCC), entities of special cybersecurity interest (ESCI) and major foundational digital infrastructure services providers (FDI).
Companies must take steps to “review their internal processes, keeping in mind the notification and risk assessment obligations” under the Act, say Lim and Chen.
“If multinational companies are designated as providers of essential services, which are responsible for third-party-owned CII, they should obtain legally binding commitments from the third party who owns the CII to adhere to prescribed standards relating to cybersecurity, so that they can discharge their duties under the Act,” they add.
Specifically, providers of essential services relying on third-party-owned CIIs “will be required to notify the commissioner of any change in the beneficial or legal ownership of the third-party-owned CII, and any prescribed cybersecurity incident involving the third-party-owned CII,” they explain.
The amendments will strengthen the CSA’s oversight and enforcement powers over regulated entities, with reporting requirements for cyber incidents expanded to include impacts beyond just the CII itself.
In particular, owners of designated critical systems “should be cognisant of the expanded incident reporting obligations under the amended Act,” according to Lim and Chen.
The updates “additionally require the reporting of incidents that affect other computers under the owner’s control, and computers under the control of a supplier that are interconnected with or communicates with the CII,” they say.
They add that organisations categorised as “FDI service providers or ESCI will follow a light-touch regime.”
While both entities will need to notify regulators of cybersecurity incidents “that have a significant impact on their business operations in Singapore, designated FDI service providers will have reporting obligations related to incidents that result in a disruption or degradation to the continuous delivery of its FDI services in Singapore,” say Lim and Chen.
In addition to the updated Cybersecurity Act, the planned introduction of the Digital Infrastructure Act (DIA) in Singapore is intended to “regulate systems that would have a systemic impact in the event of disruptions,” including data centres, cloud services, banking platforms, transportation apps and digital identity networks, Lim and Chen say.
Though details have yet to be released, they anticipate the DIA will impose “incident reporting requirements as well as baseline resilience and security standards.”
Moreover, resilience oversight will extend beyond cybersecurity to also “address threats from misconfigurations in technical architecture to physical hazards such as fires, water leaks and cooling system failures,” Lim and Chen say.
To prepare for potential regulation, they advise companies to “conduct a risk assessment of their digital infrastructure, benchmark their resilience and security posture against international standards, and review their internal mechanisms to manage and escalate security incidents.”