Update on Singapore’s Cybersecurity (Amendment) Bill 2023

The Cyber Security Agency of Singapore (CSA) is currently in the process of introducing the first ever amendments to its Cybersecurity Act (CS Act) 2018 via the Cybersecurity (Amendment) Bill.  Through these Amendments, CSA is looking to account for advancements in Singapore’s technology and business landscape since 2018.  It is also hoping to holistically enhance the cybersecurity of not only the country’s critical information infrastructure (CII) but also other digital infrastructure important for Singapore’s economy.

The first draft of this Bill was opened for public consultation from 15 December 2023 to 15 January 2024. You can find here our analysis of the proposed Bill as it stood during that consultation process. In response to the feedback received, on 02 April 2024, CSA released a closing note with clarifications on key questions raised and updates on further amendments. This was followed by the first reading of the updated Bill in the Parliament on 03 April 2024, with the Bill expected to be passed later this year.

CSA’s recent clarifications have emphasized that the Bill intends to be high-level and not overly prescriptive, with provisions to encourage continued digitalization of the country’s CIIs, particularly through the use of outsourced computing services. What follows is a refresher on the original Bill’s provisions and how CSA intends to refine that language in response to stakeholder feedback.

Recap of Toplines from the Bill’s First Draft

Expansion of CII Owners’ Responsibilities: The Bill aims to ensure that CII owners remain responsible for the cybersecurity of CII as they increase their digitalization efforts, by expanding the CS Act’s application to situations where CII owners work with external cloud service providers (CSPs). The Bill would also expand incident reporting requirements for CII owners to include those implicating their supply chains.

Regulation of Entities Beyond CII: CSA intends to expand its regulatory oversight beyond just CII to include entities providing important digital infrastructure for Singapore’s economy. This expansion is intended to enhance CSA’s situational awareness, especially through increased incident reporting. The latter would allow CSA to identify patterns and alert other entities to prevent or mitigate the effects of cyber incidents, as well as to prevent future incidents. New entities covered by this expanded oversight would include:

• Foundational Digital Infrastructure (FDI): Entities providing digital infrastructure that is foundational to Singapore’s economy or way of life, such as CSPs and data centres.
• Entities of Special Cybersecurity Interest (ESCIs): Entities hosting sensitive information or performing a function of national interest, whose disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety, or public order of Singapore. So far, CSA has cited only “autonomous universities” as an example of ESCIs.
• Systems of Temporary Cybersecurity Concern (STCCs): Computer systems critical to Singapore and at high risk of cyberattacks due to temporary events or situations. For example, systems used to support the distribution of critical vaccines during a pandemic could be STCCs.

Penalties for Non-Compliance: While the original CS Act prescribed only criminal penalties for non-compliance with CII-related statutory obligations, the amendments in the Bill would allow CSA to calibrate enforcement actions based on certain factors. These would include the nature of the offence, egregiousness of the non-compliant action, and overall facts of the case. The Bill would also introduce a new framework to include civil penalties in lieu of criminal fines where appropriate.

New Amendments Proposed

In response to the open- and closed-door consultations to date, CSA has announced that it will further revise the Bill to address the following clarifications and updates:

Facilitating CII Owners’ Move to the Cloud: CSA will introduce provisions to update the definitions of “computer” and “computer systems” to provide CII owners with flexibility to separate virtual systems from the supporting physical infrastructure. This is intended to allow CII owners to diversify risk by embracing digital solutions such as cloud computing. The caveat, however, is that at least one of the physical computing resources deployed to create the virtual system would need to be located in Singapore. Importantly, CSPs and other information technology (IT) vendors would not qualify as CII owners under the amended CS Act. This reflects a significant point of clarification on the Bill’s originally proposed language.

Simplifying the Definition of “Non-Provider Owned CII”: CSA will simplify the language in the updated draft text by replacing all references to “non-provider owned CII” with “third-party owned CII”. This term will continue to refer to computing vendors (such as CSPs) providing CII to providers of essential services (PESs). Again, these third-party vendors will not be directly regulated by CSA, i.e., the statutory responsibilities imposed on CII owners under Part 3 of the Bill, or designated PESs under Part 3A, will not apply to third-party vendors.

Managing Compliance Costs: CSA has recognized that the proposed provisions could raise compliance costs, particularly those associated with expanded incident reporting requirements. CSA has committed to work with CII owners to manage this compliance burden by developing a pragmatic approach to the submission of incident reports, including those involving supply chain incidents.

Harmonizing FDI Security Codes or Standards: CSA continues to commit to holding further industry consultations on developing incident reporting parameters and other relevant cybersecurity codes or standards for FDI. The intent is to harmonize these with international best practices and sectoral regulations to reduce the compliance burden on FDI.

Designation of ESCI: CSA has reiterated that the scope of potential ESCIs must remain broad in order to account for evolving threats. CSA will also engage with entities before designating them as ESCIs.  However, CSA has maintained that a consolidated list of such entities will not be made publicly available due to security concerns. 

Our Take

The proposed Amendments are a testament to Singapore’s proactive stand on promoting the responsible digitalization of its economy. Through these Amendments, CSA recognizes that today’s security will not only be closely tied to traditional CII, but also implicate other supporting entities on which PESs rely.  This will require a carefully calibrated balance of demanding security from the private industry who provides this support infrastructure, while at the same time not overwhelming industry with compliance burdens and red tape. CSA’s latest approach to the Amendments reflects the need to iterate when striking that balance.

CSA’s closing note has provided much-needed clarity on the rationale behind and exact scope of many of the proposed amendments, particularly related to outsourced CII. That said, the note also reflects CSA’s insistence that certain provisions causing concern among industry are nevertheless necessary. For CSPs in particular, the proposed flexibility for CII owners to contract with commercial cloud vendors creates new opportunities. This will allow CSPs to work directly with CII owners without shouldering responsibility for their obligations or liabilities under the amended CS Act. However, questions remain about how CII owners may pass on these obligations to CSPs, perhaps through onerous and purely commercial contractual provisions. This may hamper CSA’s intent to encourage digitalization of CII.

CSA has stated that it intends to work closely with industry to operationalize the amended CS Act once passed by the Parliament later this year. Ultimately, CSA would like cybersecurity to not be viewed as an additional cost but as a value-add and important differentiator. This ambitious goal will depend on CSA’s ability to continue to forge robust stakeholder partnerships for effective operationalization of the amended CS Act. Doing so will allow Singapore’s digital economy – including all of its industry stakeholders – to securely thrive.