Global menu

Our global pages


Singapore released proposed Cybersecurity Bill for public consultation

  • Hong Kong
  • Singapore
  • Commercial and IT


In light of the recent global ransomware incidents and cyber attacks which are becoming increasingly common, Singapore is stepping up its defences against cyber crimes and recently published a draft Cybersecurity Bill (the “Cybersecurity Bill”). The Cybersecurity Bill is open for public consultation through the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) from 10 July 2017 to 3 August 2017.

The Cybersecurity Bill is a standalone Bill which, if and when it comes into force, will sit alongside the existing primary legislation on cybersecurity i.e. the Computer Misuse and Cybersecurity Act. The proposed Bill will establish a framework for the oversight and maintenance of national cybersecurity in Singapore and will empower the CSA (set up in April 2015) to carry out its functions. The Bill aims to minimize the risks of cybersecurity threats. The Bill has also been drafted with a view to strengthen global partnerships and direct more funds to plug cybersecurity gaps as identified in Singapore’s high-level Cybersecurity Strategy which was launched in October last year.

This article examines some of the key points of the Cybersecurity Bill.

1. CII owners will be subject to statutory duties

The Cybersecurity Bill adopts the commonly used cybersecurity term “Critical Information Infrastructure” to refer to a computer or computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health and/or public safety or public order of Singapore (the “CII”).

The definition of CII has been drafted quite widely to protect CII operators from a wide range of sectors, both public and private, under the Cybersecurity Bill. It currently identifies 11 key sectors, including (1) government, (2) security and emergency, (3) healthcare, (4) infocommunications, (5) banking and finance, (6) energy, (7) water, (8) media, (9) land transport, (10) aviation and (11) maritime, although there is flexibility for the list to be updated from time to time by the regulatory authorities in Singapore. The Commissioner of Cybersecurity also has the discretionary authority to designate a particular computer or computer system as CII.

Any operator of CII will be subject to the following duties:

a) Provide the Commissioner of Cybersecurity (the “Commissioner”) with information on the technical architecture of the CII;

b) Comply with relevant and applicable codes of practices and directions issued by Commissioner;

c) Notify the Commissioner of any cybersecurity incident that occurs in respect of the CII and any computer or computer system under the CII owner’s control that is interconnected with or communicates with the CII;

d) Conduct regular audits and risk assessments of the CII to ensure compliance with the Cybersecurity Bill, codes of practice and standards of performance at least once every three years and furnish a report to the Commissioner; and

e) Participate in cybersecurity exercises as directed by the Commissioner to test the state of readiness to respond to significant cybersecurity incidents.

2. Cybersecurity service providers to be licensed

Service providers will have to be licensed by the CSA if they sell computer programs or provide services with the intention to ensure the protection of cybersecurity and provide penetration testing or managed security operations centre services. These licensed service providers will be subject to certain requirements, for example, appointing fit and proper key executive officers to comply with a code of ethics and retaining service records for five years. Failure to obtain a licence could attract a maximum fine of S$50,000 and/ or a term of imprisonment of two years. 

3. Extensive investigative powers of the CSA

The CSA will be empowered to investigate and prevent cybersecurity incidents and threats. This means that the CSA will be authorised to compel organisations, whether falling within the definition of a CII owner or not, to share information with the CSA as it thinks fit, enter premises or seize computers for examinations.

In preparation of the implementation of the Cybersecurity Bill, organisations are recommended to carefully consider the new obligations under the Cybersecurity Bill, design, review and update cybersecurity policies and procedures to manage and respond to cybersecurity risks and incidents as well as ensure compliance with the Cybersecurity Bill.

How the new laws may affect organizations in Singapore’s private sector

Private organizations may potentially be designated as CII if they have computers or computer systems necessary for the continuous delivery of essential services in the 11 key sectors which the Singapore government has presently identified. The Bill defines “computer system” to include not just information technology (IT) system but also operational technology systems such as an industrial control system (ICS), a programmable logic controller (PLC), a supervisory control and data acquisition (SCADA) system or a distributed control system (DCS).

Such organizations, if designated as CII, must be prepared to comply with statutory duties and/or the new licensing regime as highlighted above.