Proposed amendments to the Cybersecurity Act in Singapore require essential service providers to report cyber-security outages and incidents faced by their suppliers. Additionally, these providers must ensure contractual assurances from their suppliers, as part of the bill tabled on April 3.

The Cybersecurity (Amendment) Bill also mandates organizers of major events and autonomous universities to disclose their cyber-security measures, according to the Cyber Security Agency of Singapore (CSA). This bill, the first of its kind since 2018, aims to broaden oversight of critical information infrastructure (CII) due to increased digitalization, obscuring threats.

The bill emphasizes that CII owners remain accountable for cyber security and resilience, even with new technological and business models like cloud computing. This includes reporting more incident types, such as those occurring in supply chains.

The critical sectors include energy, water, banking and finance, healthcare, transport, infocomm, media, security and emergency services, and government.

The amendments extend CSA’s oversight to CII and linked third-party systems. CII owners must ensure legally binding cyber-security commitments from third-party vendors, with penalties for non-compliance.

Designated digital infrastructure players and entities of special cyber-security interest must follow similar obligations under a separate framework, subject to “light touch” regulations.

The bill follows several rounds of public consultations since 2022, with respondents generally understanding the need for greater oversight. Concerns were raised regarding interconnected systems, costs, and inspection procedures.

The proposed laws aim to counter evolving cyber-criminal tactics to disrupt essential services, with CSA asserting that all CIIs should adhere to similar cyber-security requirements.

Inspection procedures will be implemented only when CII owners fail to comply, with penalties including fines based on the severity of the case.