Proposed law will require owners of critical services like water, banking to report more types of cybersecurity incidents

SINGAPORE: Owners of critical information infrastructure (CII), such as those providing water, electricity and banking services, will be required to report more types of cybersecurity incidents, including those that happen in their supply chains, under a new proposed law. 

This way, the Cyber Security Agency of Singapore (CSA) said it can be more aware of the cybersecurity threats that could potentially cause disruptions to Singapore’s essential services and work with owners more proactively to secure them.

Tabled in parliament on Wednesday (Apr 3), the Cybersecurity (Amendment) Bill will update existing provisions relating to the cybersecurity of CII as well as expand CSA’s oversight to cover Systems of Temporary Cybersecurity Concern or STCCs. 

This refers to computer systems that are critical to Singapore and are at a high risk of cyberattacks because of certain events or situations.

The Bill seeks to amend the Cybersecurity Act 2018, which establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore.

The objective of the Bill, which would amend the Act for the first time, is to ensure that the law keeps pace with developments in the cyber threat landscape, as well as Singapore’s evolving technological operations, said CSA in a media release on Wednesday.

A key aspect of the Bill is also to ensure that CII owners remain responsible for the cybersecurity and cyber resilience of the systems, while embracing new technological and business models such as cloud computing, said CSA.

The intention to amend the law was first laid out by Minister for Communications and Information Josephine Teo last month when she spoke in parliament about her ministry’s spending plan. 

She said the law needed to change to reflect the increasing importance of ensuring the cybersecurity of the digital infrastructure and services that power Singapore’s digital economy, as well as allow citizens to meet their day-to-day needs.

WHAT THE BILL COVERS

At present, CII owners are only required to report cybersecurity incidents concerning the critical infrastructure, and computer systems under their control that are interconnected or communicate with the infrastructure.

If the new law is passed, owners will also have to report incidents targeting systems that are peripheral to CII. 

Besides critical infrastructure, the Bill will also allow CSA to proactively secure STCCs to ensure the cybersecurity of these systems.

An example of an STCC would be the temporary systems used to support the distribution of critical vaccines during a pandemic. During the COVID-19 pandemic, vaccine distribution systems deployed by healthcare organisations around the world were targeted by malicious cyber actors.

In addition, CSA will create two new classes of regulated entities: Entities of Special Cybersecurity Interest (ESCI) and Foundational Digital Infrastructure (FDI). 

These two classes will be subjected to “light touch” regulations as they are not critical information infrastructure. 

ESCI, such as autonomous universities, may hold sensitive information or perform a function of national interest, such that their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health,  safety, or order of Singapore.

Under the Bill, CSA will be able to designate and regulate ESCI for cybersecurity. The obligations imposed on these entities will not be at the same levels as that for CIIs, Singapore’s cybersecurity agency said. 

Where disruptions to a regulated system or entity pose less serious risks to Singapore, CSA's regulatory approach is calibrated such that the obligations are "not so onerous" that they place an undue compliance burden on the regulated entities, while protecting public interest, the agency said.

Hence, ESCI - unlike CII owners - are not required to submit audit reports or risk assessments to CSA. They will also not be required to participate in national cybersecurity exercises. 

Lastly, the Bill also requires companies such as cloud service providers and data centres to be responsible for the cybersecurity of such digital infrastructure.

This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA, which will also not be at the level of a CII, said the agency.

CSA added that it had consulted extensively on the Bill, through stakeholder and public consultations. If passed, the agency said it will continue to consult closely with stakeholders to operationalise the Bill.