Draft Cybersecurity Bill Introduced In Singapore – 5 Key Takeaways For Your Organisation.
Legal News & Analysis - Asia Pacific - Singapore - Cybersecurity
24 July, 2017
After much anticipation, the Singapore Cyber Security Agency (CSA) released a draft Cybersecurity Bill on 10 July 2017, inviting the public to provide feedback on the proposed Bill as part of a public consultation exercise that will run until 3 August 2017.
The Cybersecurity Bill is an omnibus, sector-agnostic, cybersecurity law. The Bill also applies equally to both public and private sectors. The intention is to ensure that all sectors in Singapore subscribe to and implement a coordinated, consistent cybersecurity framework, and that the CSA may address cybersecurity threats across all sectors, and not just the more critical and highly regulated ones. The Bill also facilitates a pro-active approach to cybersecurity, requiring measures to be taken to enhance the cybersecurity of computer systems before cybersecurity threats and incidents happen.
The introduction of the Bill comes at a time when large scale, system-debilitating cyber-attacks are becoming frequent and sophisticated. With an increase of these incidents both globally and locally, our clients have likewise started to pay closer attention to cybersecurity in their organisations, implementing technical measures and security frameworks to protect their systems from cyber-attacks and, more importantly, the debilitating effects on business operations and reputation that these attacks will have. This Bill, when passed into law, will add another layer of regulatory compliance for organisations.
Having reviewed the Bill, we have identified five key takeaways for your organisation, as outlined below.
The Bill includes a process for the Commissioner of Cybersecurity to identify and designate a computer or computer systems as “critical information infrastructure”. This indicates an intention that you do not need to self-assess whether you own any “critical information infrastructure”, but rather that the Commissioner will make this decision. However, this is not entirely clear from a plain reading of the Bill (as the definition of “critical information infrastructure” does not refer to the designation process), which does leave an open question as to whether an organisation has a responsibility to determine itself whether it owns any “critical information infrastructure”. This will hopefully be an issue that is resolved during the public consultation.
In any event, the Commissioner has the power to obtain information from organisations to determine if they own “critical information infrastructure”. If you operate in one of the identified critical sectors, it would be prudent to begin an assessment of which of your computer systems may fall within the definition of “critical information infrastructure” in anticipation of the Commissioner engaging with you (once the Bill has passed to law) to obtain more detail about your computer systems.
1. Are you an owner of “Critical Information Infrastructure”?
Part 3 of the Bill, which contains operative compliance requirements (described further in paragraph 2 below), applies to owners of “critical information infrastructure”, where such infrastructure is located wholly or partly in Singapore.
What is “critical information infrastructure”?
“Critical information infrastructure” is defined in the Bill as:
A computer or a computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
The government has identified (in the First Schedule to the Bill) a list of these “essential services”, covering services in the following 11 critical sectors: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
The Minister-in-charge of Cybersecurity also retains the power to add more essential services to this list.
2. Key compliance requirements for owners of “critical information infrastructure”
Part 3 of the Bill imposes some notable compliance requirements on owners of “critical information infrastructure”. A failure to comply with these requirements carries with it criminal sanctions. These are:
Notification requirement: Owners of “critical information infrastructure” must notify the Commissioner of “significant cybersecurity incidents” in respect of:“critical information infrastructure”; or
computer systems under their control which are interconnected with or communicate with the “critical information infrastructure”1.
A failure to notify the CSA of such an incident is a criminal offence punishable by a fine up to S$100,000, imprisonment of a term of up to 2 years, or both.
We have two main observations regarding this requirement:
- there is a lack of guidance as to what is the threshold of a “significant” cybersecurity incident – guidance from the CSA on this will be helpful; and
- more broadly, there is a general duty to notify the Commission of “any cybersecurity incident” that occurs2, and this duty does not carry with it a criminal penalty for non-compliance.
Therefore, the prudent approach seems to be for all owners of “critical information infrastructure” to notify the CSA of any cybersecurity incidents it suffers.
The Commissioner retains broad powers to request for technical information about “critical information infrastructure” from an owner, and to issue written directions to owners.
Audit requirement: Owners of “critical information infrastructure” must conduct a compliance audit against the provisions of the Bill and any codes of practice or standards of performance issued by the Commissioner at least once every 3 years. This risk assessment report must then be furnished to the Commissioner not later than 30 days after the completion of the audit. Again, criminal sanctions apply for a failure to comply with these requirements.
Commissioner’s powers to obtain technical information and issue directions: The Commissioner retains broad powers to request for technical information about “critical information infrastructure” from an owner, and to issue written directions to owners (which may include actions to take in relation to a cybersecurity threat, or to appoint an auditor to audit the cybersecurity of the owner’s systems). The Bill further provides that regulations (e.g. banking and privacy rules) that forbid the sharing of confidential information will be superseded by the Bill.
If I am an owner of “critical information infrastructure”, what are my duties?
As an owner of “critical information infrastructure”, your key duties are:
- To provide information about the technical architecture of your “critical information infrastructure” to the Commissioner, if requested.
- To comply with any codes of practice, standards of performance or written directions issued by the Commissioner.
- To notify the Commissioner of cybersecurity incidents.
- To conduct regular audits and risk assessments of the compliance of the “critical information infrastructure” with the Bill and other codes or standards.
- To participate in national cybersecurity exercises conducted by the Commissioner for the purposes of testing the state of readiness of owners of “critical information infrastructure”.
- To notify the Commissioner of material changes to the “critical information infrastructure”.
- To notify the Commissioner of changes of ownership of “critical information infrastructure”.
3. How does the Bill affect organisations that do not own “critical information infrastructure”?
Under Part 4 of the Bill, the CSA retains broad powers to investigate and prevent cybersecurity incidents generally. These powers vary, depending on the severity of the cybersecurity incident, and importantly, may be exercised in respect of any computer or computer system in Singapore, not only “critical information infrastructure”.
In cases involving serious cybersecurity incidents, the Commissioner may exercise a higher threshold of powers, including:
- directing any person to carry out remedial measures (e.g. cleaning computers of malware, disconnecting computers from an infected network, redirecting malicious data traffic to designated computer servers);
- directing owners of computer systems to assist with investigations, which may include monitoring these systems for a prescribed period, or even allowing investigating officers to install software programs on it; and
- entering the premises owned or occupied by any person to have access to a computer system in it.
The Minster holds an even broader gamut of powers in the event of emergency cybersecurity incidents. In the event of such an emergency, the Minister may effectively take any steps that he or she deems necessary.
A failure to comply with these directions will attract criminal penalties.
The CSA’s exercise of these powers may have the practical effect of causing severe interruptions to business operations. There are early indications that the CSA is indeed aware of this, and has assured in the Public Consultation Paper on the Draft Cybersecurity Bill that there will be an internal governance process within CSA to ensure that the powers are exercised responsibly and in accordance with the Bill, and only by qualified persons.
More critically, however, organisations must start to consider how it can comply with these directions if they receive them. As it is the nature for cybersecurity incidents to escalate quickly, organisations cannot expect sufficient lead time from the Commissioner to implement these directions, and must respond with some urgency. For example, some organisations may not have in-house technical capabilities to clean computer systems of malware, or redirect malicious data traffic immediately on command. If you are one of these organisations, it will be prudent to begin considering options available to comply with these directions.
4. Licensing regime for cybersecurity service providers
Part 5 of the Bill introduces a brand new licensing regime for cybersecurity service providers. At this stage, the Bill requires service providers to be licensed if they provide:
- investigative cybersecurity services in the form of penetration testing services; or
- non-investigative cybersecurity services in the form of managed security operations centre monitoring services.
These service providers will need to obtain a cybersecurity service provider’s licence from the CSA to provide and supply these services. The Minister may add more categories of licensable cybersecurity services. The Public Consultation Paper on the Draft Cybersecurity Bill indicates that the intention is to create a light-touch regulatory regime for cybersecurity service providers to raise quality in the industry and help organisations make an informed choice on cybersecurity services.
Am I providing or supplying a licensed cybersecurity service?
The Bill defines in some detail what “investigative cybersecurity services” and “non-investigative cybersecurity services” are3. Helpfully, the Bill also clarifies that a person does not provide a licensable “cybersecurity service” only because the person:
- sells self-install computer programs intended for the protection of the cybersecurity of a computer; or
- provides services for the management of a computer network / system, that is aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.
If you have questions about whether your business would be considered a licensed cybersecurity service under the Bill, feel free to contact us for a discussion.
Organisations must start to consider how it can comply with these directions if they receive them. As it is the nature for cybersecurity incidents to escalate quickly, organisations cannot expect sufficient lead time from the Commissioner to implement these directions, and must respond with some urgency.
5. Now what?
Now that the Bill has been released, here are a few actions your organisation can consider taking:
- Participate in the public consultation process: If you have concerns about certain provisions in the Bill, or that the Bill have may an unduly intrusive effect on your business operations, it may be worth engaging the CSA and the Ministry of Communications and Information to have these views heard as part of the public consultation process, before the Bill gets passed into law. We are happy to be your “sounding board” for your concerns, or assist with preparing submissions as part of the consultation process.
- Start to identify what may be your “critical information infrastructure”: If you operate in one of the identified critical sectors, you should start to consider which of your computers and computer systems may be considered “critical information infrastructure”, and gather materials that the Commissioner may seek from you, in anticipation of the Commissioner engaging with you to identify your “critical information infrastructure”.
- Think about how your organisation can comply: As mentioned above, some organisations may not have in-house technical capabilities to comply with some of the directions it may receive from the Commissioner under the Bill. If you are one of these organisations, it will be prudent to begin considering options available in the market to comply with these directions, especially as these directions are likely to come with fairly urgent compliance deadlines. Separately, organisations may also want to consider rolling out internal cybersecurity policies which comply with the provisions in the Bill, especially if your organisation is an owner of “critical information infrastructure”. Policies to comply with the audit requirements, and internal escalation processes to comply with the notification requirements, are some examples.
- Identify a cybersecurity compliance officer in your organisation: As the Bill introduces a new compliance regime, it may be prudent to start thinking about appointing an employee or team of employees in your organisation to be the cybersecurity compliance officer for your organisation, especially if you are an owner of “critical information infrastructure”. This is particularly important as the Bill imposes criminal sanctions for non-compliance of certain requirements. Similar to the Data Protection Officer’s role under the Personal Data Protection Act 2012, who is responsible for an organisation’s compliance with the PDPA and front-faces discussions with the Personal Data Protection Commission, a cybersecurity compliance officer will be a helpful resource to lean upon to ensure compliance with the Bill (e.g. to ensure that audit reports are provided to the CSA within 30 days), be the point of contact for your organisation for any internal escalations, and to front-face any communications with the CSA.
For further information, please contact:
Niranjan Arasaratnam, Partner, Linklaters