The Cybersecurity Act (87-page / 251KB PDF) will apply to organisations that are designated as operating 'critical information infrastructure' (CII) in Singapore. Organisations in the energy, telecoms, water, health, banking, transport and media sectors are among those that could be impacted.
A new commissioner of cybersecurity in Singapore will be tasked with selecting the specific organisations to designate as CII owners subject to the new regime. Organisations will be able to raise an appeal against the designations to Singapore government ministers.
Under the Act, CII owners will be subject to a number of requirements. These include a duty to report certain cybersecurity incidents to the commissioner of cybersecurity, and to disclose certain information to the commissioner regarding its CII, including on the "design, configuration and security" of that infrastructure.
In addition, CII owners could be subject to investigations from Singapore authorities regarding cybersecurity threats or incidents, and forced to take remedial action where deficiencies in security measures are found.
CII owners will also need to undertake periodic cybersecurity audits and risk assessments and could be further required to adhere to codes of practice or standards that the commissioner of cybersecurity has the power to issue under the new Act, as well as participate in cybersecurity testing exercises.
A further obligation to notify changes in legal or beneficial ownership of CII to the commissioner of cybersecurity within seven days is also stipulated in the Act.
A new licensing framework for providers of cybersecurity services will also be established under the new laws.
In a speech before parliament earlier this week, Singapore minister for communications and information, Dr Yaacob Ibrahim addressed concerns raised by some MPs that incident reporting and investigation obligations might be "too onerous".
He said: "There is no obligation for a CII owner to report a cybersecurity incident in respect of other infrastructure that it owns, where such infrastructure is not connected to the CII."
Ibrahim also said that CII owners that "comply with their obligations" under the new Act will not face fines, even if they experience cybersecurity breaches.
The new laws will not have extra-territorial effect. It will only apply to systems located in Singapore.
However, in his speech, Ibrahim clarified that in cases where some CII in Singapore is operated by systems partly located in Singapore and partly from outside of the country, the Act will govern the Singapore-based systems.
"Given Singapore’s interconnectivity, it is inevitable that some computer systems serving important functions in Singapore are connected globally and may also be located wholly outside Singapore," Ibrahim said. "These computer systems could also be operated by international organisations based abroad."
"While Singapore may be able to work with these international organisations to ensure the cybersecurity of the systems in question, we cannot control such systems by designating them as CII under the Bill as they are outside our jurisdiction. There may also be potential conflicts with other countries’ regulatory regimes," he said.
The Ministry of Communications and Information (MCI) and the Cyber Security Agency (CSA) confirmed last year that suppliers of technology to the operators of critical information infrastructure (CII) in Singapore would not be directly subject to the new law.
However, Ibrahim, said that CII operators must check that the security measures their suppliers put in place are sufficient to ensure they meet their own legal obligations.
"CII owners are ultimately responsible for the cybersecurity of their respective CII," Ibrahim said. "Many engage third-party vendors to support their CII. In deciding which vendors to engage and what conditions to impose on their vendors, CII owners should carry out the necessary risk assessments and due diligence to ensure that their obligations under the Bill are complied with."
The new Cybersecurity Act will exist alongside other Singapore laws and sector-specific regulations that already address matters of information security, including the Personal Data Protection Act. It will come into force when it is published in Singapore's legal gazette.
The Act is broadly equivalent to legislation has been put in place in the EU. EU countries have until 9 May 2018 to implement the Network and Information Security (NIS) Directive into national law. The UK finalised its plans to do so at the end of January.