SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
• first, to strengthen the protection of Singa - pore’s critical information infrastructure (CII) against cyber-attacks; • secondly, to authorise the CSA to lead in the prevention and response to cybersecurity threats and incidents; • thirdly, to establish a licensing framework to regulate cybersecurity service providers. In 2024, the government saw the need to update the Act to keep pace with changes in technol - ogy, business models and the cyber threat landscape. In so doing, the amendments will allow CSA to extend their regulatory oversight to important systems and entities not previous - ly covered under the Cybersecurity Act 2018, adopting a risk-based approach to regulating Cybersecurity in Singapore is broadly regulat - ed by a set of overlapping pieces of legislation which address the issues of national cybersecu - rity, cybercrimes, and personal data protection and management. In addition, certain sectoral regulators are empowered to directly address cybersecurity issues in their respective sectors through the issuance of regulatory codes, guide - lines, notices and instruments. Cybersecurity Act 2018 (Cybersecurity Act) The Cybersecurity Act is the dedicated cyberse - curity law which sets out the overarching frame - work for the oversight of national cybersecurity issues in Singapore, including the designation of computer systems as CII in essential sec - tors and co-ordinating the national response to cybersecurity incidents, amongst other things. The Cybersecurity Act requires owners of CII to notify the Commissioner of Cybersecurity in the event of the occurrence of certain cybersecu - entities for cybersecurity. 1.2 Cybersecurity Laws
rity incidents related to their CII. In this regard, a cybersecurity incident refers to an act or activity carried out without lawful authority on or through a computer or computer system that jeopard - ises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system. Since 2022, the Cybersecurity Act provides for the licensing of certain cybersecurity service providers (CSPs). At present, this includes CSPs that provide penetration-testing and managed security operations centre monitoring services. To keep up with the evolving cybersecurity threats and nature of businesses, the Cyberse- curity (Amendment) Bill was passed in Singapore Parliament on 7 May 2024 to expand the CSA’s oversight to new entities beyond CII owners. The four new categories (please see 2.2 Critical Infrastructure Cybersecurity Requirements for further details) of entities are: • essential service providers who use CII owned by a third party; • major foundational digital infrastructure (FDI) service providers; • entities of special cybersecurity interest; and • owners of systems of temporary cybersecu - rity concern. Importantly, the amendments have extended the definition of CIIs to include any computer or computer system, whether they are physical or virtual, located wholly or partly in Singapore which may be designated as CII. Such designa - tion may arise if the Commissioner is satisfied that the computer or computer systems are nec - essary for the continuous delivery of an essential service, and the loss or compromise of such sys - tems will have a debilitating effect on the avail - ability of the essential service in Singapore. At
226 CHAMBERS.COM
Powered by FlippingBook