Industry Consultation On The Licensing Framework For Cybersecurity Service Providers

20 Sep 2021

INDUSTRY CONSULTATION ON THE LICENSING FRAMEWORK FOR CYBERSECURITY SERVICE PROVIDERS

The Cyber Security Agency of Singapore (CSA) is seeking industry feedback on the proposed licence conditions and draft subsidiary legislation under the licensing framework for cybersecurity service providers found in Part 5 of the Cybersecurity Act[1]. The consultation will commence on 20 September 2021 for a period of four weeks.

Background on the licensing framework 

The Cybersecurity Act came into force on 31 August 2018 with the exception of the licensing framework found in Part 5 of the Act. The licensing framework was deferred to allow for further study and consultation to enhance its practicability for cybersecurity service providers.

The licensing framework aims to address three main considerations over time:

(a)  Provide greater assurance of security and safety to consumers;
(b)  Improve the standards and standing of cybersecurity service providers; and
(c)  Address the information asymmetry between consumers and the cybersecurity service providers.

The framework will give CSA the means to take punitive measures against errant cybersecurity service providers, including the issuance of financial penalties, or notices of censure.

For a start, CSA will license only two types of service providers, namely those providing penetration testing and managed security operations centre monitoring services. These two services are prioritised because service providers performing such services can have significant access into their clients’ computer systems and sensitive information. In the event that the service is abused, the client’s operations could be disrupted. In addition, these services are already widely available and adopted in the market, and hence have the potential to cause significant impact on the overall cybersecurity landscape.

All providers of the licensable cybersecurity services, regardless of whether they are companies or individuals directly engaged for such services or third-party vendors that support these companies, will need to be licensed.

The licensing framework is expected to be implemented by early 2022. This will factor in time to study the feedback received and to finalise the licence conditions and subsidiary legislation.

Scope of industry consultation

CSA is inviting industry feedback on the proposed licence conditions and draft subsidiary legislation. Some of the key proposals include:

a) Professional conduct of licensees: To provide a baseline level of protection for consumers of cybersecurity services, CSA is proposing for licensees to comply with requirements such as maintaining confidentiality about their clients’ information; not making any false representation in advertising their services or in the provision of its service; exercising due care and skill; and acting with honesty and integrity.

b) Provision of information: To facilitate CSA’s investigations into potential breaches by licensees or matters relating to the licensees’ continued eligibility to be a holder of the licence, licensed cybersecurity service providers are to provide information concerning or relating to its cybersecurity services upon request, and within the timeframes specified by the Licensing Officer.

c) Notification requirements: Under the Cybersecurity Act, cybersecurity service providers are required to ensure that their key executive officers are fit and proper persons when applying for a licence. Licensees are also required to keep records on the cybersecurity services that have been provided to clients for a duration of at least three years. To ensure that licensees remain fit and proper, CSA is proposing for licensees to notify the Licensing Officer within 14 days, on changes to information such as those relating to the honesty, integrity and financial soundness of the business and its key executive officers, which may affect the licensee’s continued eligibility to be licensed. To ensure that the licensees’ key executive officers are fit and proper, licensees are to notify the Licensing Officer at least 30 days before the appointment of new key executive officer(s).

Submission of feedback

The industry consultation document and procedures for submission of feedback are available on CSA’s website at www.csa.gov.sg. Interested parties from the industry may wish to send their feedback via email to consultation@csa.gov.sg. All submissions should reach CSA no later than 18 October 2021, 5pm.

Please refer to Annex A for the full industry consultation document.

Annex A: Industry Consultation Document

 


[1] The Cybersecurity Act was introduced to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Its four key objectives are to: (a) provide a framework for the regulation of Critical Information Infrastructure; (b) provide CSA with powers to manage and respond to cybersecurity threats and incidents; (c) establish a framework for the sharing of cybersecurity information, and (d) establish a licensing framework for cybersecurity service providers.

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.