What is the Cybersecurity Bill about?
The proposed law will form a key pillar of Singapore’s cyber-defence strategy in its push to be a Smart Nation. It will:
- introduce a framework for regulating critical information infrastructure (“CII”);
- empower the Cyber Security Agency of Singapore (“CSA”) to manage and respond to cybersecurity threats;
- establish a framework for the secure sharing of cybersecurity information with and by the CSA; and
- establish a light-touch licensing framework for cybersecurity service providers.
- What is the status of the Bill now?
The proposed law is currently in the public consultation stage. After consultation, the Bill will be read in Parliament, debated and amended as needed before being passed into law.
- How will the Bill be enforced?
The powers of the Bill will be vested in a Commissioner of Cybersecurity. This position will be held by the Chief Executive of the CSA. The Minister may also appoint cybersecurity officers, authorised officers (to be drawn from the pool of sector regulators) and technical officers for implementing the proposed legislation.
- Why introduce separate legislation?
The existing piecemeal approach is not enough to cope with the increased prevalence and severity of major cybersecurity incidents. At present, cybersecurity is regulated under sector-specific rules. This has led to varying standards, which pose a problem because of interdependencies between CII sectors. Hence, there is a need for a more holistic and proactive approach.
- How does the Bill fit into the existing legal framework?
Relationship with the Computer Misuse and Cybersecurity Act (Cap. 50A)
The two regimes are complementary, with the CSA’s new powers serving to “enhance” those available under the CMCA. The Bill does not prevent any person from being prosecuted under any written law, or from being liable to any penalty higher than that provided by the Bill.
Relationship with banking secrecy and data protection laws
The Bill empowers the Commissioner of Cybersecurity to require any person to surrender pertinent information regarding a suspected cyberattack. At the same time, various laws prevent the disclosure of personal information:
- banks owe their customers a duty of confidentiality under the Banking Act (Cap. 19);
- organisations cannot use or disclose personal data without individuals’ consent under the Personal Data Protection Act (No. 26 of 2012) (“PDPA”); and
- information need not be disclosed if it is protected by legal professional privilege.
The CSA has not expressly addressed the interaction between the Bill and existing prohibitions on disclosure.
Some commentators think the Bill “seeks to take precedence” over existing laws. This understanding is supported by clause 20(5) of the Bill, which protects any person who discloses information in good faith from liability imposed by “law, contract or rules of professional conduct”.
Another view is that disclosure may only be made after the implicated personal information has been removed. This is the position under the US Cybersecurity Information Sharing Act.
Regardless, it should be noted that existing prohibitions on disclosure are not absolute. For example, the duty of confidentiality owed by banks is subject to an exception where disclosure is necessary to comply with a request made under any specified written law to furnish information for investigation purposes. An organisation may also use or disclose personal data without consent if this is necessary in the national interest. Clarification by the CSA on this point will be helpful.
- How does the Bill compare to cybersecurity legislation in other countries?
The proposed legislation brings Singapore in line with numerous jurisdictions that have strengthened their frameworks for cybersecurity. Singapore follows countries such as Germany and the Czech Republic in enacting an omnibus cybersecurity law. The Bill covers the basics of standard-setting, information sharing, incident management, and crisis management.
One point of interest is that the Consultation Paper identifies information sharing as an objective of the Cybersecurity Bill without providing details. How might this develop?
One model is the US’s Cybersecurity Information Sharing Act. This has three pertinent features. First, the Department of Homeland Security serves as the primary gateway for cybersecurity information-sharing between the private sector and federal government. Secondly, there are broad safe harbours from liability to encourage sharing. Private entities are generally shielded from civil, regulatory, and antitrust liability. Thirdly, the law imposes a “scrubbing” requirement to remove unrelated personal information before sharing data.
- How will the Bill affect me?
If you are an operator of essential services
Your computer or computer system may be designated as CII. This will likely be the case if you provide services relating to the government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport, or maritime sector, the disruption of which would cause “debilitating impact” on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.
To be designated a CII, your system must be located wholly or partly in Singapore. Being designated as CII is an official secret under the Official Secrets Act (Cap. 213). You may appeal against the designation.
You will have duties under the proposed legislation. If your system is designated as CII, you will be subjected to duties such as providing information, reporting incidents, notifying the CSA of a change in ownership, conducting cybersecurity audits, and participating in national cybersecurity exercises. Non-compliance will be an offence.
If you are a cybersecurity provider
You will have to be licensed. The Bill prohibits the carrying out, performing, supplying or advertising of any licensable cybersecurity service without a license. Such services may be investigative (such as white-hat hacking activities) or non-investigative (such as the monitoring of cybersecurity policies for compliance).
Currently, only penetration testing services providers and managed security operations centre monitoring services are proposed to be licensable. If you are a licensable cybersecurity service provider but carry on business without a license, you will be barred from suing to recover any fees due to you.
You will have to meet basic requirements to qualify for a license. These requirements include retaining service records such as client information for five years, complying with any prescribed codes of ethics, and appointing only fit and proper persons as key executive officers.
If you are a general member of the public
You may be called upon to assist in cybersecurity investigations. The CSA will be granted a sliding scale of powers to improve its ability to respond to cybersecurity threats. Such powers include examining anyone relevant to investigations and requiring them to provide information in the case of all cybersecurity threats, and directing persons to carry out remedial measures or seizing equipment in the case of serious threats.
- How will the Bill affect my business?
The Bill is likely to bring increased compliance costs, as well as human resource and organisational challenges. On the other hand, auditing and consulting firms can look forward to increased demand for their services.
Businesses may want to take the opportunity to conduct a cybersecurity audit and plug security gaps, set up internal reporting structures, or introduce crisis management plans as necessary. In this regard, ISO/IEC standards such as the ISO/IEC 27000-series for information security management are useful benchmarks.
If you are a provider of essential services or licensable cybersecurity service provider, you may want to review any underlying third-party contracts for compliance with the Bill.
- Where can I find more information about the Bill?
- How do I contribute?
If you have ideas on how the Bill should be modified, join the conversation by submitting comments to the Ministry of Communications and Information/CSA. Submission is via email, and the deadline is 5pm on 3 August 2017. More details can be found in the Public Consultation Paper.