Industry Consultation

Industry Consultation on the Licensing Framework for Cybersecurity Service Providers

20 September 2021

     The Cyber Security Agency of Singapore (CSA) is seeking industry feedback on the proposed licence conditions and draft subsidiary legislation under the licensing framework for cybersecurity service providers found in Part 5 of the Cybersecurity Act.

Introduction

2.     The Cybersecurity Act came into force on 31 August 2018 with the exception of the licensing framework under Part 5, which was then deferred to allow for further study and consultation to enhance its practicability for cybersecurity service providers.  The licensing framework aims to address three main considerations over time:

(a) Provide greater assurance of security and safety to consumers;

(b) Improve the standards and standing of cybersecurity service providers; and

(c) Address the information asymmetry between consumers and the cybersecurity service providers.

3.     For a start, CSA will license only two types of service providers, namely those providing penetration testing and managed security operations centre monitoring services. These two services are prioritised because service providers performing such services can have significant access into their clients’ computer systems and sensitive information. In the event that the service is abused, the client’s operations could be disrupted. In addition, these services are already widely available and adopted in the market, and hence have the potential to cause significant impact on the overall cybersecurity landscape.

Scope of Consultation

4.     CSA is inviting industry feedback on the proposed licence conditions and draft subsidiary legislation. Some of the key proposals include:

(a) Professional conduct of licensees: To provide a baseline level of protection for consumers of cybersecurity services, CSA is proposing for licensees to comply with requirements such as maintaining confidentiality about their clients’ information; not making any false representation in advertising their services or in the provision of its service; exercising due care and skill; and acting with honesty and integrity.

(b) Provision of information: To facilitate CSA’s investigations into potential breaches by licensees, or matters relating to the licensees’ continued eligibility to be a holder of the licence, licensed cybersecurity service providers are to provide information concerning or relating to its cybersecurity services upon request, and within the timeframes specified by the Licensing Officer.

(c) Notification requirements: Under the Cybersecurity Act, cybersecurity service providers are required to ensure that their key executive officers are fit and proper persons when applying for a licence. Licensees are also required to keep records on the cybersecurity services that have been provided to clients for a duration of at least three years. To ensure that licensees remain fit and proper, CSA is proposing for licensees to notify the Licensing Officer within 14 days on changes to information such as those relating to the honesty, integrity and financial soundness of the business and its key executive officers, which may affect the licensee’s continued eligibility to be licensed. To ensure that the licensees’ key executive officers are fit and proper, licensees are to notify the Licensing Officer at least 30 days before the appointment of new key executive officer(s).

Period of Consultation

5.     The industry consultation will be held from 20 September to 18 October 2021.

Submission Format and Feedback channel

6.     Respondents should organise their submissions as follows:

(a) Cover page (including name of the organisation/respondent; contact details such as the contact number and email address; and description of the licensable cybersecurity services provided by the organisation/respondent);

(b) Summary of feedback;

(c) Comments; and

(d) Conclusion.

Supporting materials may be enclosed as an annex to the submission.

7.     All submissions should be clearly and concisely written, and should provide a reasoned explanation for any feedback. Where feasible, please identify the specific paragraph, condition, or regulation of the named document which you are commenting on.

8.     All submissions should reach CSA no later than 5pm on 18 October 2021. Late submissions will not be considered. Submissions are to be in softcopy only (in Microsoft Word format). Please send your submissions to Consultation@csa.gov.sg, with the subject header “Industry Consultation on the Licensing Framework for Cybersecurity Service Providers”.

9.     CSA reserves the right to make public all or parts of any written submission and to disclose the identity of the source. Respondents may request confidentiality treatment for any part of the submission that the respondents believe to be proprietary, confidential or commercially sensitive. Any such information should be clearly marked and placed in a separate annex. Respondents are also required to substantiate with reasons any request for confidential treatment. If CSA grants confidential treatment, it will consider, but will not publicly disclose, the information. If CSA rejects the request for confidential treatment, it will return the information to the respondent, and will not consider this information as part of its review. As far as possible, respondents should limit any request for confidential treatment of information submitted. CSA will not accept any submission that requests confidential treatment of all, or a substantial part, of the submission.

Documents to Download

10.     The industry consultation document can be downloaded below, within which the proposed licence conditions and draft subsidiary legislation are set out at Annex A and Annex B respectively.

• Industry Consultation Document