21 December, 2017
On 10 July 2017, the Cyber Security Agency of Singapore (“CSA”) and Singapore Ministry of Communications and Information (“MCI”) released a draft Cybersecurity Bill for public consultation, which will conclude on 3 August 2017.
The proposed Cybersecurity Bill has four main objectives:
- to provide a framework for the regulation of critical information infrastructure owners;
- to provide the CSA with powers to manage and respond to cybersecurity threats and incidents;
- to establish a framework for the sharing of cybersecurity information with and by CSA officers, and the protection of such information; and
- to introduce a lighter-touch licensing framework for the regulation of selected cybersecurity service providers.
The proposed Bill comes at a time of increasing cybersecurity incidents globally, including the recent global WannaCry and Petya/Petna malware attacks, and as organisations increasingly focus on implementing technical and operational security measures to protect their systems from such incidents.
1. Are you a critical information infrastructure owner?
The proposed Bill would apply equally to both critical information infrastructure owners in the private and public sectors (i.e. statutory boards and the government). “Critical information infrastructure” is broadly defined as:
“A computer or a computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.”
“Essential services” currently encompasses 11 critical sectors: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.
Within these sectors, critical information infrastructure includes both information technology (IT) as well as operational technology (OT) systems (e.g. industrial control systems, data acquisition systems etc). Banking and finance sectors are expected to own IT systems predominantly, whilst entities in other sectors, such as energy, are likely to own predominantly OT systems.
The owner of critical information infrastructure is the person who has effective control over the critical information infrastructure operation or is responsible for ensuring the continuous functioning of the critical information infrastructure. We would expect that further clarity around the scope of this definition may follow the public consultation on the Bill, particularly as it applies in the context of IT outsourcing.
Who makes the determination?
The Commissioner of Cybersecurity would have the power to designate a particular computer or computer system as critical information infrastructure, and in so doing, a written notice will be served on the critical information infrastructure owner. The Commissioner of Cybersecurity would have the power to obtain information from entities to make the determination, though the critical information infrastructure owner is not obliged to disclose information that is in breach of any written law. Any designation made would be an official secret under the law, and shall not be publicised.
Companies should internally review their computer or computer systems against the scope of critical information infrastructure whilst the Bill is being finalised.
2. If you are a critical information infrastructure owner, what are your obligations?
Critical information infrastructure owners would have four general obligations in relation to notification, audit, provision of information, and participation in cybersecurity exercises. Failure to comply with the obligations would carry with it criminal sanctions, including fines of up to S$100,000, imprisonment for a term not exceeding 2 years, or both.
(1) Notification
- Critical information infrastructure owners would be required to notify the Commissioner of Cybersecurity of “significant” cybersecurity incidents in respect of:
- critical information infrastructure; or
- computer systems under their control which are interconnected with or communicate with the critical information infrastructure. Note that there is a distinction between significant and ‘any/all’ cybersecurity incidents.
- Critical information infrastructure owners would also be required to notify the Commissioner of Cybersecurity of changes to the design, configuration, security or operation of critical information infrastructure
(2) Audit
Critical information infrastructure owners would be required to conduct regular audits against the legislation and any related codes of practice released by the Commissioner of Cybersecurity at least once every three years. Assessment results are to be duly submitted to the Commissioner of Cybersecurity.
(3) Provide information and comply with Commissioner of Cybersecurity directions
Critical information infrastructure owners would be required to provide information about the technical architecture of the critical information infrastructure, if requested by the Commissioner of Cybersecurity.
Critical information infrastructure owners would also need to comply with any subsequent codes of practice, standards of performance or written directs issued by the Commissioner of Cybersecurity in relation to the legislation.
(4) Participate in national cybersecurity exercises organised by the Commissioner of Cybersecurity
The Commissioner of Cybersecurity may from time to time organise national cybersecurity exercises to test the readiness of critical information infrastructure owners in responding to significant cybersecurity incidents, and critical information infrastructure owners would be required to participate in such exercises.
3. What if I am not a critical information infrastructure owner?
The CSA would be granted broad powers to both prevent and investigate cybersecurity incidents. The powers would be vested in the Commissioner of Cybersecurity.
Such powers would not be limited to critical information infrastructure, but in respect of any computer or computer systems generally in Singapore. Note that a failure to comply with the Commissioner of Cybersecurity’s directions would invite criminal penalties. The Commissioner’s powers would vary depending on the severity of the cybersecurity threat or incident.
For all threats and incidents, regardless of their severity, the Commissioner may examine anyone relevant to the investigation and take statements to determine if further steps are needed. For serious threats and incidents, the Commissioner may take measures including:
directing any person to carry out remedial measures and assist in investigations; and
physically entering the premises owned or occupied by any person to access the relevant computer system.
4. Are you a cybersecurity service provider?
The proposed Bill also aims to regulate providers of cybersecurity services. For this purpose, a cybersecurity service is defined as:
“a service provided for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person.”
If your organisation is a cybersecurity service provider, it would need to obtain a licence from the CSA to continue to provide such services.
There are two types of licences:
(1) investigative cybersecurity services, which typically involves a deeper level of access to the computer system, such as searching for cybersecurity vulnerabilities; and
(2) non-investigative cybersecurity services, which typically involve monitoring the cybersecurity of a computer system.
The following persons do not fall within scope of a cybersecurity service provider:
any person that sells self-install computer programs intended for the protection of the cybersecurity of a computer; or
any person that provides services for the management of a computer network/system that is aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.
5. Conclusions and recommendations
Please note that the proposed Bill is still pending public consultation with possibility of amendments. In the meantime, companies are encouraged to contribute to the consultation and to make a preliminary assessment of whether your organisation is a critical information infrastructure owner or cybersecurity service provider, and what your organisation would need to do to comply with the obligations under the proposed Bill.
For further information, please contact:
William Hallatt, Partner, Herbert Smith Freehills
William.Hallatt@hsf.com
