Cybersecurity 2025

SINGAPORE Trends and Developments Contributed by: Sheena Jacob, Jaya Malhotra, Sherman Poon and Andre Choo, CMS

al changes to the Cybersecurity Act 2018 (the “Act”) although it has yet to come into force.

disruption of the computer will have a significant detrimental effect on key interests like foreign relations, the economy or public health, such as Singapore’s autonomous universities. However, ESCIs will be subject to less stringent regulatory requirements than CIIs. Thirdly, entities which provide cloud computing services and/or data centre facility services may be designated major foundational digital infra - structure (“major FDI”) service providers if they provide FDI services (in Singapore or outside Singapore, if the offshore FDI service is provided to persons within Singapore), and any impedi - ment to the provision of the FDI service would likely disrupt or affect the operation of many organisations in Singapore which utilise that FDI. The amendments will reinforce Singapore’s cybersecurity framework, enabling the authori - ties to proactively survey the threat landscape and to take the necessary steps to counter adverse outcomes. Parliament has also announced that it is studying the possibility of introducing a new Digital Infra - structure Act, a piece of legislation complemen - tary to the Cybersecurity Act 2018 that focuses on related aspects of cybersecurity and digital infrastructure. The proposed law is envisaged to focus more broadly on the governance, regula - tion and protection of key digital infrastructure, as large cloud service providers and data cen - tres are crucial to the smooth operations of a variety of digital services that organisations and consumers use daily (see here and here ). Importance of constantly re-assessing cyber- readiness The importance of continually updating cyber- related laws to keep abreast of a myriad of poten - tial threats was further highlighted by the global

Changes to the CII regime Key amendments include:

• widening the ambit of the Act to cover virtual computers, in light of the increasing reliance on cloud technology; • broadening the CSA’s jurisdiction to moni - tor and regulate certain offshore computers where the owner is in Singapore and where the computers would be regulated as CII if they were located at least partly in Singapore; • expanding the incident reporting duties of CII owners to include threats to their supply chain or of any incidents where their supply chain has been affected; and • regulating the providers of essential services, where those services are provided on digital infrastructure owned by third parties. Designation of STCCs, ESCIs and major FDIs Furthermore, the Act will regulate new entities and systems. First, computers may be designated as systems of temporary cybersecurity concern (STCC) where there is a high risk of a cybersecurity risk or threat against it, and where any harm against it will have serious detrimental effects. This enables the CSA to monitor the cybersecurity of key computers which may be more attrac - tive to threat actors, such as the systems imple - mented to facilitate the distribution of during the COVID-19 pandemic. STCCs will be regulated similarly to CIIs. Secondly, certain organisations may be desig - nated as entities of special cybersecurity inter - est (ESCI) if they store sensitive information or use a computer to perform a function, where the

248 CHAMBERS.COM

Powered by