The Cybersecurity Bill was passed on 5 Feb 2018 and received the President’s assent on 2 Mar 2018 to become the Cybersecurity Act. The Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Its four key objectives are to:
1. Strengthen the protection of Critical Information Infrastructure (CII) against cyber-attacks.
CII are computer systems directly involved in the provision of essential services. Cyber-attacks on CII can have a debilitating impact on the economy and society. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their obligations to proactively protect the CII from cyber-attacks. This builds resilience into the CII, protecting Singapore’s economy and our way of life. The CII sectors are: Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government.
2. Authorise CSA to prevent and respond to cybersecurity threats and incidents.
The Act empowers the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents to determine their impact and prevent further harm or cybersecurity incidents from arising. The powers that may be exercised are calibrated according to the severity of the cybersecurity threat or incident and measures required for response. This assures Singaporeans that the Government can respond effectively to cybersecurity threats and keep Singapore and Singaporeans safe.
3. Establish a framework for sharing cybersecurity information.
The Act also facilitates information sharing, which is critical as timely information helps the government and owners of computer systems identify vulnerabilities and prevent cyber incidents more effectively. The Act provides a framework for CSA to request information, and for the protection and sharing of such information.
4. Establish a light-touch licensing framework for cybersecurity service providers.
CSA adopts a light-touch approach to license only two types of service providers currently, namely penetration testing and managed security operations centre (SOC) monitoring. These two services are prioritised because providers of such services have access to sensitive information from their clients. They are also relatively mainstream in our market and hence have a significant impact on the overall security landscape. The licensing framework seeks to strike a balance between security needs and the development of a vibrant cybersecurity ecosystem.
You can access the Cybersecurity Act on Singapore Statutes Online.
For the Explanatory Statement of the Cybersecurity Act, please click here [192KB].
For FAQs, please click here [253KB].