In a Nutshell

On 17 April 2024, the Cybersecurity Agency of Singapore (Agency) issued a response to public feedback received on a draft amendment to its cybersecurity law.

This draft amendment of the Cybersecurity Bill (Bill) was published as part of a public consultation exercise from 15 December 2023 to 15 January 2024.

Our earlier post about this consultation can be accessed here.

What Was the Industry Feedback Received on the Bill?

The Agency received and considered a total of 55 different submissions comprised of comments and feedback on the Bill from critical information infrastructure (CII) owners, the industry and the public at large.

There was general widespread support for the revisions proposed in the Bill, which underscores a common recognition of the heightened importance of cybersecurity and the need for robust regulation in a fast-expanding digital landscape.

What Areas Did the Industry Feedback Cover?

With regards to proposed amendments in the Bill applicable to CII, the feedback received from the industry fell into the following three areas:

  1. Whether the proposals to regulate CII owners’ use of distributed system architecture (e.g. commercial cloud solutions) or computing vendors would create statutory obligations (directly or indirectly) for these providers serving the CII owners.
  2. The potentially higher compliance costs faced by CII owners and Providers of Essential Services (PES) as defined in the Bill, due to their increased obligations including incident reporting and the need to obtain legally binding commitments.
  3. How the amended act will be operationalised, including the designation process for PES and the scope of the Commissioner of Cybersecurity’s powers to conduct on-site inspections.

How Were These Issues Addressed in the Agency’s Response?

Statutory Obligations for Third-party Providers Serving CII Owners

CII owners will continue to be primarily responsible for the systems they control and own.

More specifically, the Agency clarified that the statutory obligations under the Bill will not extend to third-party cloud service providers supporting the CII, nor to third-party computing vendors engaged by and delivering services to a designated PES.

In respect of virtual computer systems (Virtual Systems), the Agency will introduce additional provisions in the Bill to clarify that it is the person who has:

  • Control over the operations of such Virtual Systems.
  • The right and ability to perform security configuration and management tasks in respect of such Virtual Systems, including to make any modification as necessary for its cybersecurity.
  • Responsibility for the security of such Virtual Systems under a person’s contractual arrangement with a cloud provider, who will be considered the owner of the Virtual Systems that is CII. This means that it will be the existing CII owner, who has control over said CII, that will continue to be responsible for such system even after virtualisation, and not the cloud provider.   

Increased Compliance Costs

The Agency will work to manage the compliance burden of CII owners. This will include developing a pragmatic approach to operationalising incident reporting.

However, the Agency considers that any decision to use an outsourced CII from a third-party computing vendor is ultimately a commercial one. It is open to CII owners to outsource after assessing the costs and benefits involved. Regardless of whether CII is outsourced or owned, the Agency takes the position that the same level of cybersecurity must be established to address disruption risks to the delivery of essential services. This is especially so given the fast-evolving tactics of advanced persistent threat actors and cybercriminals today, looking to exploit supply chains and other peripheral systems to attack CII. 

PES Designation and On-site Inspections

Due to security reasons, the Agency does not intend to publish the full list of special cybersecurity entities which are to be designated as such.

On the issue of whether a CII owner can be concurrently designated as a PES, the Agency clarified that such designations would involve a considered process. This will include working closely with all parties concerned to identify potential providers of essential services, as well as any sectoral regulator to properly understand the operating environment, and computer systems involved in the delivery of essential services.

For on-site inspections that may be conducted by the Agency pursuant to its powers under the Bill, the Agency assured that ample prior notice will be given to enable CII owners to prepare ahead of such inspections.

Concluding Observations
The Agency also stated that it will continue to take reference from international best practices as well as to harmonise its approach with any other sectoral rules in Singapore, as may be relevant. It will also conduct further industry consultations on the development of subsidiary technical and operational codes of practice, and incident reporting parameters, as well as on the implementation of the proposed amendments in the Bill.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.