Comprehensive Cybersecurity Bill published for consultation in Singapore

A briefing from Norton Rose.

Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.

This Bill comes on the back of various moves by the Singapore Government to strengthen its approach to cybersecurity, starting with the setting up of the Cyber Security Agency (CSA) in April 2015, the launch of Singapore’s Cybersecurity Strategy in October in 2016, and more recently, the amendments to the Computer Misuse and Cybersecurity Act earlier this year (see our publication on the amendments).

Comment: Singapore’s strategy of being a smart nation and financial centre has at its core a resilient and strong foundation in cybersecurity. This Bill helps ensure that this objective is achieved by focusing on the continuity of essential services in Singapore. It also comes at a time when the business world is reeling from the impact of the WannaCry and NotPetya attacks.

The Bill takes an holistic approach to the regulation of cybersecurity by: giving the CSA oversight of the regime and enforcement powers to police the regime; providing a framework for regulation of critical information infrastructure systems, including mandatory breach notification; and establishing a licensing framework for cybersecurity service providers.

The consultation paper notes that the regulatory framework will be flexible to take account of the unique circumstances of each sector. It will also require a proactive approach to enhance cybersecurity before threats and incidents happen – based on the risk profile of the sector. Offences and penalties are to ensure compliance with the Bill rather than punish those that suffer from cyberattacks.

Who is covered – Critical Information Infrastructure

A key thrust of the Bill is the identification of 11 critical sectors as providing “essential services” and the ability to of the CSA to designate as CII any computer or computer system necessary for the continuous delivery of essential services as CII. It applies to both the public and the private sector.

The 11 critical sectors identified are:

  • Energy
  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media

Computers and computer systems that are necessary during times of national emergency may also be designated as CIIs – and so it could potentially cover any sector.

The CSA may also designate a person as the owner of a CII (a CIIO). The Bill proposes to define an “owner of a CII” as a person who has effective control over the operations of the CII and has the ability and right to carry out changes to, or is responsible for, the continuous functioning of the CII. The CSA may require certain information in advance from the owner to determine if a system is a CII. The designation of systems as CII will be treated as an “official secret” under the Official Secrets Act, and will not be divulged to the public.

Duties of CII owners

CII owners are subject to the following statutory duties to:

  • provide information
  • comply with codes and directions
  • report incidents – ie breach notification to the CSA
  • conduct audits by an auditor approved by the Commissioner of Cybersecurity (the Commissioner)
  • conduct risk assessments
  • participate in exercises

In addition, CII owners are required to comply with any code of practice or relevant standard issued under the Bill.

Failure to comply with these duties is a criminal offence – due to the national security implications of non-compliance.

CSA is the central cybersecurity authority

The Bill proposes to vest the extensive supervisory and regulatory powers on a Commissioner of Cybersecurity (the Commissioner), which is a position that will be held by the Chief Executive of the CSA.

CSA – Extensive Enforcement Powers

Apart from its supervisory powers over CIIs, the Bill also confers on the Commissioner significant powers to respond to, and prevent, cybersecurity incidents. These powers include the power to examine persons, produce evidence, and where satisfied that the cybersecurity threat meets a certain specified severity threshold, impose measures requiring a person to carry out remedial measures or to cease certain activities, take steps to assist in the investigation and perform a scan of a computer or computer system to detect cybersecurity vulnerabilities. Property may also be seized. This applies to all computer or computer systems in Singapore, and is not limited to CIIs.

The Minister has the power to impose extraordinary emergency cybersecurity measures and requirements if the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the essential services or national security, defence, foreign relation, economy, public health, public safety or public order of Singapore. This includes the power to authorize a specified person to direct another person to provide information “relating to the design, configuration or operation of any computer, computer program or computer [service][system]” if it is necessary to identify, detect or counter any such threat.

Companies and institutions should therefore be prepared for such actions, and have the necessary protocols in place to facilitate and respond to these investigations and regulatory actions.

Assistant Commissioners – from other Regulators

The Bill grants the Minister the power to appoint as Assistant Commissioner public officers from other Ministries or from other regulators. This is an unusual feature as certain public officials would be double-hatting as an Assistant Commissioner of Cybersecurity and as an official from another Ministry or statutory body performing a similar regulatory/supervisory function.

Assistant Commissioners are, in most cases, “Sector Leads” in the respective sectors, i.e., the lead government agency in charge of each sector. Therefore, CIIOs will know the Assistant Commissioners from existing regulatory relationships. For example, the Assistant Commissioner for financial institutions would likely be an officer from the Monetary Authority of Singapore (MAS). Hopefully, this will help cut down the bureaucratic burden on CIIOs on dealing with a new regulator for cybersecurity issues by allowing continuity and consistency of established relationships with existing regulators.

Regulating Cybersecurity Service Providers

There is a proposal to license and regulate cybersecurity service providers. It is recognized that since cybersecurity service providers are given access to customer systems and networks, they gain a deep understanding of system vulnerabilities, and that there should be some assurance concerning ethics and standards these providers should meet. The Bill proposes a licensing framework for cybersecurity service providers for two types of licences – investigative cybersecurity services (penetration testing) and non-investigative cybersecurity services (managed security operations). The list of licensable services is set out in the Second Schedule, which may be amended by the Minister.

Licensed providers will need to meet certain basic requirements concerning: key executive officers to be fit and proper; retention of service records for 5 years; compliance with a code of ethics; and ensuring that employees performing the services are fit and proper. These requirements will also apply to overseas providers.

At this stage, it is not clear how the CSA would evaluate applicants for licensing, and the CSA will have a further consultation with industry on detailed requirements before it is implemented.

What this Bill may mean for you

  • Organizations operating in a critical sector and potentially owning CIIs should put in place an overarching cybersecurity policy tailored to the organization’s needs and the requirements of the regime. This policy should set out the organization’s approach to meeting its legal and regulatory obligations, and specify who is accountable for the CII within the organization. Ideally, this person should be at C-suite level.
  • As a result of the Commissioner’s powers to respond to, and prevent, cybersecurity incidents, we recommend that all organizations should have in place a comprehensive cyber-response plan that includes protocols for responding to, and cooperating with, requests from the Commissioner on cybersecurity. This will minimize disruption to operations and ensure compliance with regulatory obligations.
  • Cost of compliance will increase – in particular in respect of the new licensing regime for cybersecurity service providers that will likely be passed onto customers, but given the impact of recent cyberattacks on business such as WannaCry and the NotPetya Ransomware, this is likely the new reality and cost of doing business in a technology enabled world.