Singapore Amends Cybersecurity Law to Bolster National Security Measures

On 7 May 2024, the Singaporean parliament passed the Cybersecurity Bill expanding the cybersecurity authority’s supervision. The new law allows oversight over any computer system considered critical to national interests and at high risk of cyberattacks.

The new law includes temporary systems set up for important operations like vaccine distribution and major international summits or events. The aim is to strengthen national security by having Singapore’s vital systems under heightened cybersecurity monitoring.

Is your business or organization operating in Singapore? Wondering if this new Cybersecurity Bill amendment will directly affect you and your clients?

This Pacific Prime CXA article will provide an in-depth overview of the key changes made in the Bill, why these changes are being made, and what it means to businesses and providers operating in the country.

Key Changes Made in the Bill

Following a public consultation by the Cybersecurity Agency of Singapore (CSA), this amendment marks the first revision to Singapore’s Cybersecurity Act (CA) since its initial enactment in 2018. The Act establishes the legal framework for cybersecurity oversight and maintenance in Singapore.

As new technologies such as cloud computing are being widely adopted along with evolving business models, these timely amendments ensure Singapore’s cybersecurity laws remain fit to address emerging challenges in the digital world.

Under the newly revised Cybersecurity Act, those in charge of critical information infrastructure (CII) in Singapore will be required to report any cybersecurity blackouts or attacks that impair their services, whether occurring on their premises or within their supply chains.

The revised law also adds new categories of organizations that will have their cybersecurity measures audited by the authorities. This includes autonomous universities, as they may hold sensitive information or carry out important operations.

As such, here are more details of the key changes to the latest Cyber Security Act of Singapore:

An expansion of the Cybersecurity Act’s scope brings four new classes of persons:

Providers of essential services that don’t own the critical information infrastructure (CII) must obtain legally binding commitments from third-party CII owners. These ensure the third parties provide the necessary cybersecurity information and adhere to standards, allowing the providers to meet their duties under the Act. Without such commitments, providers may be ordered to stop using the third-party CII.
Owners of temporary systems at higher cyber-attack risk due to events like pandemic vaccine distribution will come under the Act’s scope.
Certain entities of special cybersecurity interest will be subject to a “light-touch” regulatory approach.
Providers of major foundational digital infrastructure services will also face a “light-touch” regulatory treatment.

The Commissioner’s powers are enhanced, such as expanding the types of incidents that must be reported and authorizing on-site inspections.

Penalties for Non-compliance

Should there be an event of non-compliance within the amended law, you may be subject to a fine of up to SGD $100,000, an imprisonment term not exceeding two years, or both. For continuing offenses, there can be an additional fine of up to SGD $5,000 per day after conviction.

These penalties can apply if, for example, an essential service provider fails to obtain the required cybersecurity commitments from a third-party infrastructure owner, and then disobeys the Commissioner’s order to stop using that third-party infrastructure.

Penalties are higher for offenses related to special cybersecurity entities and major digital infrastructure providers. Expect fines of up to SGD $200,000 or 10% of the offender’s annual Singapore business turnover. Continuing offenses face additional daily fines up to SGD $5,000 after conviction.

The amendments also introduce a new civil penalty regime. For violations under certain Parts of the Act, the Commissioner can seek a court order for a civil penalty with the Public Prosecutor’s consent instead of prosecution.

This civil penalty can reach up to 10% of the offender’s annual Singapore business turnover, or SGD $500,000, whichever is higher.

Why Are These Changes Being Made?

As Singapore embraces more digitalization, the risk of cyberattacks rises in correlation. Disruptions to critical digital infrastructure can have tumultuous and widespread effects impacting essential services.

For example, during the COVID-19 pandemic, governments worldwide created temporary systems to distribute vaccines. However, these systems became targets for bad actors, as mentioned in parliament by the Singaporean Senior Minister of State for Communications and Information, Dr. Janil Puthucheary.

Dr. Janil further highlighted the growing trend of bad actors targeting supply chains and related systems. He gave an example from 2019, where hackers inserted harmful code into an I.T. monitoring tool provided by SolarWinds, a U.S. software company used by numerous organizations.

This allowed the hackers to access the data of over 30,000 public and private firms in the United States for several months.

With over 90% of Singaporean residents communicating online and a high adoption rate of technology among local businesses (94% in 2022, up from 74% in 2018), it is crucial to heighten the oversight of cyber incidents, considering the increasing dependence on digital services in everyday life.

Therefore, it is crucial to establish additional precautions that go beyond the existing protections provided by the Cybersecurity Act. This will enable both individuals and businesses in Singapore to embrace digital technology with confidence, knowing that robust cybersecurity measures are in effect.

What It Means for Businesses and Providers Operating in Singapore

Owners of critical infrastructure like water, electricity, and banking services will be required to report more types of cybersecurity incidents to the Cyber Security Agency of Singapore (CSA). This includes incidents that occur in their supply chains.

By receiving more reports, CSA can better understand cybersecurity threats that could disrupt essential services in Singapore, allowing them to work more proactively with owners to secure these critical systems.

Furthermore, essential service operators remain accountable to CSA for any security lapses. More essential sectors include energy, water, banking and finance, healthcare, transportation (land, maritime, and aviation), information and communication, media, security and emergency services, and government.

Additionally, companies such as cloud service providers and data centers will be required to maintain cybersecurity codes, and standards of practice, and report certain incidents to CSA, although at a level below critical infrastructure.

Planning Ahead for the Future

To sum up, these new amendments made to the Cybersecurity Act significantly broaden Singapore’s cybersecurity supervision.

By mandating incident reporting across supply chains and third-party vendors for essential services, as well as covering digital infrastructure providers, the CSA can gain a more comprehensive view of potential cyber threats.

The increased visibility aims to bolster the nation’s defenses and resilience of its essential digital systems against cyber attacks. Thus, it’s up to companies to make well-informed decisions to continuously assess the data they possess and the appropriate measures to secure it.

Pacific Prime’s corporate insurance solutions acknowledge the difficulties and intricacies companies encounter while remaining flexible to align with each client’s goals, needs, and the unique risks they may face.

With over 20 years of reputation as a world-renowned insurance broker, our team of experts goes the extra mile to ensure our clients have access to the most comprehensive and cost-efficient global insurance plans tailored to their specific requirements and budgets.

Contact us today to receive impartial insurance advice or a free plan comparison.

Veerabhatr is a content writer with over 6 years of experience with a particular penchant for storytelling and marketing, both in print and online. He now works with an experienced team of writers at Pacific Prime, aiming to shed light on the essence and benefits of insurance for companies and individuals by creating engaging, informative content across multiple platforms.

After obtaining his Bachelor’s Degree in Social Sciences, International Relations from Mahidol University International College, Veerabhatr has forged his career as a content writer in the travel, lifestyle, and real estate industries, writing in both English and Thai. He now continues to hone his skills as a writer at Pacific Prime, looking to engage and educate the audience by simplifying insurance.

Writer by day, and a DJ by night, Veerabhatr is a staunch music lover, and listens to all spectrums of genres available. He also loves to drink beer (moderately), eat all types of food, go to the beach, and learn about different cultures across the globe. He is also a die-hard fan of football and motorsports.

Latest posts by Veerabhatr Sriyananda (see all)