The Cybersecurity Agency of Singapore (CSA) is actively seeking public feedback on proposed amendments to the Cybersecurity Act. The move is prompted by the recognition that the five-year-old legislation might be rendered obsolete due to the rapid pace of technological advancements. With businesses adopting new technologies like cloud computing and evolving business models, the CSA deems it necessary for the Cybersecurity Act to evolve accordingly.
The proposed amendments primarily focus on enhancing supply chain security and extending regulatory oversight to digital technologies that fall outside the current definition of critical information infrastructure (CII). Under these changes, providers of critical infrastructure and essential services would be mandated to share information with the CSA commissioner about existing agreements with cloud providers, software suppliers, and supply chain vendors.
Moreover, the amendments aim to ensure that CII operators and owners take responsibility for the security of critical information and systems stored and operated by vendors or cloud providers. This involves conducting regular risk assessments and audits of vendors, with providers of essential services required to report cybersecurity incidents affecting vendors or suppliers.
In the event of non-compliance, the CSA commissioner is granted the authority to conduct on-site inspections of critical information infrastructure. These inspections can be triggered if the provider fails to adhere to the Cybersecurity Act or specific codes, practices, standards, and written directions from the commissioner.
Singapore has been progressively enhancing cybersecurity measures since the enactment of the Cybersecurity Act in 2018. The proposed amendments aim to address the security of digital infrastructure and online platforms not covered by the existing legislation. The CSA commissioner would be empowered to designate certain digital services entities as “foundational digital infrastructure,” subjecting them to specific cybersecurity protocols, incident reporting requirements, and regulatory directives.
CSA Commissioner David Koh stressed the importance of these updates to ensure the necessary safeguards for the digital infrastructure and services used by Singaporeans and businesses. The amendments would empower the CSA commissioner to establish rules on incident reporting requirements for major entities, impose financial penalties for non-compliance, and designate organizations as “entities of special cybersecurity interest” based on their potential impact on defense, foreign relations, economy, public health, safety, or public order. Additionally, the amendments provide for the designation of “systems of temporary cybersecurity concern” for critical systems required during specific time-limited periods. This may include systems supporting key international events or those set up for the distribution of vaccines during crises such as the COVID-19 pandemic.