Singapore’s Amendments to Its Cybersecurity Laws

Background

In 2018, Singapore’s Cybersecurity Act established a strong legal framework for the oversight and maintenance of cybersecurity by the Cyber Security Agency of Singapore (CSA). The Cybersecurity Act is separate from Singapore’s Personal Data Protection Act, which is the principal legislation that governs the collection, use, and disclosure of individuals’ personal information by businesses.

The Cybersecurity Act applies specifically to owners and operators of critical information infrastructures, requiring such entities to comply with certain standards and policies, conduct audits and risks assessments, and implement incident reporting measures.

Reckoning with a constantly evolving cyber threat landscape and seeking to ensure adequate protections as critical information infrastructure operators shift towards cloud-based operations, the CSA passed the Cybersecurity (Amendment) Act (the “Amendments”) on May 7, 2024. The Amendments reinterpret how critical information infrastructure is defined, identified, and secured, and aims to address the diverse range of cybersecurity threats in Singapore’s vast digital economy.

“The 2018 Act was developed to regulate [critical information infrastructures] that were physical systems, but new technology and business models have emerged since,” said Janil Puthucheary, Senior Minister of State for the Singapore Ministry of Communications and Information. “Hence, we need to update the Act to allow us to better regulate [critical information infrastructures] so that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on.”

Who Will Be Affected?

The Amendments introduce new obligations for only four kinds of entities: (1) computing vendors of essential service providers, be it critical information infrastructure owners or operators; (2) Systems of Temporary Cybersecurity Concern (STTC); (3) Entities of Special Cybersecurity Interest (ESCI); and (4) Foundational Digital Infrastructures (FDIs).

At their core, the Amendments endeavor to strengthen Singapore’s national security. By expanding definitions and regulatory frameworks to cover virtual systems, overseas critical information infrastructures, and other third-party cyber-service providers, the Amendments allow the CSA to more effectively monitor and guard against cyber threats.

For detailed information on which organizations qualify as STTC, ESCI, and FDIs, review the CSA First Reading of the Cybersecurity (Amendment) Bill on their website.

Implications for Businesses

The first type of newly defined entity listed above—computing vendors of essential service providers—is a particularly significant addition to the Cybersecurity Act. Even though these “vendors” may not provide essential services themselves since they manage the outsourced computing systems on which essential service providers are increasingly relying, the compliance requirements outlined in the Amendments will apply. These computing systems are thus classified as “non-provider-owned critical information infrastructures.”

And while the providers of essential services themselves will still be chiefly responsible for ensuring sufficient cybersecurity, they will also now be required to obtain legally binding commitments from vendors of non-provider-owned critical information infrastructure to remain in compliance with the new Amendments.

Other requirements for both providers and vendors of non-provider-owned critical information infrastructures include increased incident reporting, auditing, and risk assessments. In other words, certain expectations or guarantees of cybersecurity will apply to companies wherever there is risk in the chain of handling.

Financial Impacts

The Amendments’ new and expanded requirements, especially as it pertains to obligatory incident reporting and the need to obtain legally binding commitments, could certainly involve higher compliance costs for companies.

Moreover, whereas the original Cybersecurity Act prescribed only criminal penalties for non-compliance with its standards and obligations, the Amendments provide the CSA with the authority to tailor enforcement actions and penalties based on a list of general factors. These include the nature of the offense, the egregiousness of the violation, and the overall facts of the matter. The Amendments also introduce a new framework for civil penalties in lieu of criminal fines where appropriate.

Ultimately, Singapore hopes that any additional costs associated with adequate cybersecurity will eventually be viewed as an important value-add and not just a tedious expense. These Amendments underscore Singapore’s commitment to doing what it takes to maintain a robust, thriving, and secure digital economy.

Additional Resources

Read more about Singapore’s Amendments on the ETCIO Southeast Asia website. A link to the official text of the Bill has also been made available by the Parliament of Singapore.

If you have any questions about the bill or other related concerns, our Data Privacy & Cybersecurity Team is here to help.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.