Cybersecurity 2025

SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC

Owners of CII must also conduct penetration tests on relevant CII assets after implementing any major system changes to the CII. Major sys - tem changes include commissioning any new systems to be connected to the CII, implement - ing new application modules, system upgrades and technology refresh. It is the responsibility of CII owners to ensure that third-party penetration testing service providers and their penetration testers possess industry- recognised accreditations and certifications respectively, for example CREST or equivalent accreditations and certifications. Relatedly, owners of CII are also required to establish a red teaming or purple teaming attack simulation plan, and conduct a red teaming or purple teaming attack simulation on its CII at least once every 24 months to test and validate the effectiveness of its cybersecurity measures against prevalent cybersecurity threats. Cybersecurity Service Provider Licences The Cybersecurity Services Regulation Office (CSRO) was set up to administer the licensing framework for CSPs under the Cybersecurity Act. It aims to address three main considera - tions: • provide greater assurance of security and safety to consumers; • improve the standards and standing of CSPs; and • address the information asymmetry between consumers and CSPs. All providers of a managed security operations centre monitoring services and penetration testing services as defined in the Cybersecu - rity Act to the Singapore market must apply to the CSRO for a cybersecurity service provider’s

licence, regardless of whether they are compa - nies or individuals or third-party CSPs that pro - vide these services in support of other CSPs. IoT Devices On 3 March 2020, the MDDI (then Ministry of Communication and Information) introduced the Cybersecurity Labelling Scheme (CLS) as part of Singapore’s Safer Cyberspace Masterplan 2020. The CLS was formally launched on 7 October 2020, initially as a voluntary scheme for Wi-Fi routers and smart home hubs, and was sub- sequently expanded to include all smart home devices. The CLS provides different cybersecurity rating levels for registered IoT devices and other smart devices to help consumers easily assess the lev - el of security offered and make informed choices in purchasing a device. A Level 1 certification indicates that the product meets basic security requirements such as ensuring unique default passwords and providing software updates, whilst a Level 4 certification indicates that the product has undergone structured penetration tests by approved third-party test labs and ful - filled the requirements of all lower levels (ie, Lev - els 1, 2 and 3). In 2024, the CSA updated Singapore’s Opera - tional Technology Cybersecurity Masterplan. The updated Masterplan now includes operators of operational technologies that support physi - cal control functions such as IoT and industrial IoT devices, as such devices have become new attack surfaces for threat actors to exploit. The key initiatives under the Masterplan include: • enhancing the operational technology cyber - security talent pipeline; • enhancing information sharing and reporting;

238 CHAMBERS.COM

Powered by