The much discussed Cybersecurity Act 2018 (the Act), which was passed by the Singapore Parliament on 5 February 2018, came into force on 31 August 2018. The Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Its four key objectives are to strengthen the protection of Critical Information Infrastructure (CII) against cyber-attacks; to authorise CSA to prevent and respond to cybersecurity threats and incidents; to establish a framework for sharing cybersecurity information; and to establish a light-touch licensing framework for cybersecurity service providers.

A key thrust of the Act is the imposition of cybersecurity obligations on public and private owners of CII that are used to provide essential services, such as Energy, Water, Banking and Finance, Healthcare, Transport, Infocomm, Media, Security and Emergency Services, and Government.

Under the Act, CII owners will be subject to a number of requirements. These include a duty to report certain cybersecurity incidents to the commissioner of cybersecurity, and to disclose certain information to the commissioner regarding its CII, including on the “design, configuration and security” of that infrastructure. CII owners will also need to undertake periodic cybersecurity audits and risk assessments.

A new licensing framework for providers of cybersecurity services will also be established under the new laws. The Licensing framework under the Cybersecurity Act seeks to licence two types of service providers, namely Penetration Testing, and Managed Security Operations Centre (SOC) Monitoring services. The simplified framework is currently scheduled for implementation around the later half of next year (2019).

The new Cybersecurity Act will exist alongside other Singapore laws and sector-specific regulations that already address matters of information security, including the Personal Data Protection Act and the Computer Misuse Act. It will come into force when it is published in Singapore’s legal gazette.

This Act seeks to establish a framework for the protection of (CII) against cybersecurity threats, the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore, and the regulation of providers of licensable cybersecurity services.

On the whole, this new Act is a necessary step forward in Singapore’s journey to become a smart nation and a necessary measure to strengthen Singapore’s cybersecurity resilience.

Shyy Yuan Yaw
Shyy Yuan Yaw Partner, Audit and Assurance , Paul Wan & Co.
Shyy Yuan is a Chartered Accountant of Singapore (“CA, Singapore”), who has more than 12 years of extensive audit experience, including 10 years with international public accounting firms in Singapore. He is currently a registered Public Accountant with the Accounting and Corporate Regulatory Authority (“ACRA”) in Singapore; and also a member of Institute of Singapore Chartered Accountants (“ISCA”) and Association of Chartered Certified Accountants (“ACCA”).
follow me
×
Shyy Yuan Yaw
Shyy Yuan Yaw Partner, Audit and Assurance , Paul Wan & Co.
Shyy Yuan is a Chartered Accountant of Singapore (“CA, Singapore”), who has more than 12 years of extensive audit experience, including 10 years with international public accounting firms in Singapore. He is currently a registered Public Accountant with the Accounting and Corporate Regulatory Authority (“ACRA”) in Singapore; and also a member of Institute of Singapore Chartered Accountants (“ISCA”) and Association of Chartered Certified Accountants (“ACCA”).
follow me
Latest Posts