The much discussed Cybersecurity Act 2018 (the Act), which was passed by the Singapore Parliament on 5 February 2018, came into force on 31 August 2018. The Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Its four key objectives are to strengthen the protection of Critical Information Infrastructure (CII) against cyber-attacks; to authorise CSA to prevent and respond to cybersecurity threats and incidents; to establish a framework for sharing cybersecurity information; and to establish a light-touch licensing framework for cybersecurity service providers.

A key thrust of the Act is the imposition of cybersecurity obligations on public and private owners of CII that are used to provide essential services, such as Energy, Water, Banking and Finance, Healthcare, Transport, Infocomm, Media, Security and Emergency Services, and Government.

Under the Act, CII owners will be subject to a number of requirements. These include a duty to report certain cybersecurity incidents to the commissioner of cybersecurity, and to disclose certain information to the commissioner regarding its CII, including on the “design, configuration and security” of that infrastructure. CII owners will also need to undertake periodic cybersecurity audits and risk assessments.

A new licensing framework for providers of cybersecurity services will also be established under the new laws. The Licensing framework under the Cybersecurity Act seeks to licence two types of service providers, namely Penetration Testing, and Managed Security Operations Centre (SOC) Monitoring services. The simplified framework is currently scheduled for implementation around the later half of next year (2019).

The new Cybersecurity Act will exist alongside other Singapore laws and sector-specific regulations that already address matters of information security, including the Personal Data Protection Act and the Computer Misuse Act. It will come into force when it is published in Singapore’s legal gazette.

This Act seeks to establish a framework for the protection of (CII) against cybersecurity threats, the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore, and the regulation of providers of licensable cybersecurity services.

On the whole, this new Act is a necessary step forward in Singapore’s journey to become a smart nation and a necessary measure to strengthen Singapore’s cybersecurity resilience.