Essential services providers to meet higher cyber-security standards under proposed law amendment

The authorities can also require organisers of major events to disclose their cyber-security measures under the Bill. PHOTO: PEXELS
Osmond Chia
Updated
Apr 03, 2024, 05:52 PM
Published
Apr 03, 2024, 02:39 PM

SINGAPORE - Essential services operators in Singapore must declare cyber-security outages and attacks faced by suppliers, as well as require these suppliers to provide contractual assurances, as part of proposed changes to the Cybersecurity Act tabled on April 3.

The authorities can also require organisers of major events here and autonomous universities to disclose their cyber-security measures under the Cybersecurity (Amendment) Bill.

The Cyber Security Agency of Singapore (CSA) said that the Bill – the first change to the Act since it came into force in 2018 – seeks to expand its oversight of critical information infrastructure (CII), as threats can often be obscured with increased digitalisation.

“The key aspect of the Bill is that it will ensure that CII owners remain responsible for the cyber security and cyber resilience of the CII, even as they embrace new technological and business models, like the use of cloud computing,” said CSA. “CII owners will also be required to report more types of incidents, such as those that happen in their supply chains.”

The critical sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.

The changes will expand CSA’s oversight of CII and any linked third-party systems, as well as levers to audit the digital defences of major event organisers, universities and other groups that hold sensitive data or perform significant functions.

CII owners will still bear responsibility for cyber incidents, including those that take place within the systems of their vendors and even if the CII had been outsourced or offshored. Thus, the Bill will require essential services providers to obtain legally binding cyber-security commitments from third-party vendors.

CII owners that fail to comply can face penalties for non-compliance.

The Bill also requires designated digital infrastructure players and entities of special cyber-security interest to follow similar obligations, under a separate framework where they are subject to “light touch” regulations as they are not owners of designated CII.

The Bill comes after several rounds of public consultations with companies, trade associations, government agencies and individuals since 2022.

Respondents generally understood the need for greater oversight, while some raised concerns about which systems in their periphery should be considered to be interconnected with their critical services, CSA said. Others asked about costs and how they would be inspected.

CSA said the proposed laws aim to address evolving tactics of cyber criminals to disrupt essential services, adding: “CSA holds the view that all CIIs, regardless of whether they are outsourced or owned by CII owners, should be subject to similar levels of cyber-security requirements.”

On how systems will be inspected, CSA said the proposed law makes clear that the authorities will step in only when it appears the CII owner has failed to comply.

Once the new policies are in force, organisations that do not comply can be penalised through fines, depending on the severity of the case.

More On This Topic
Proposed changes to Cybersecurity Act of S’pore, and what triggered them
New law mooted to minimise digital service disruptions due to cloud, data centre outages

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top