Singapore's New Cybersecurity Amendment Bill And How It Affects Businesses
On 7 May 2024, the Singapore Parliament passed a new bill to bolster the nation’s cybersecurity defences to account for new and evolving technological threats. Dubbed the “Cybersecurity (Amendment) Bill”, it outlines that owners of Critical Information Infrastructure (CII) are now required to report cybersecurity incidents, including those that happen within their supply chains.
Also under this new Bill, the Cyber Security Agency of Singapore (CSA) is granted the power to manage entities beyond its current regulatory scope, which includes Entities of Special Cybersecurity Interest (ESCIs) and Foundational Digital Infrastructure (FDI). Additionally, the Bill also allows authorities to regulate a novel type of system called Systems of Temporary Cybersecurity Concern (STCC) to deal with imminent cybersecurity concerns that threaten national security.
This article outlines the importance of this bill, what businesses can expect, and how the bill affects businesses across Singapore.
Why this Bill matters
Over 90% of Singaporeans communicate online and businesses’ technology adoption rate has spiked from 74% in 2018 to 94% in 2022. Rapid growth and adoption of new technologies in the past few years, such as cloud computing, have also put additional pressure on legislators to implement measures to protect the nation’s interests.
The approval of the Cybersecurity (Amendment) Bill signals Singapore’s commitment and resilience to cybersecurity, and global partners, once more renewing faith in the island nation. Owing to the continuing presence of malicious cyber actors, the bill seeks to safeguard CIIs and oversee ESCIs and FDIs, which are crucial to Singapore’s defence, foreign relations, economy, public health and safety.
While Singapore’s increased reliance on digital platforms is helping to boost the economy, this also presents more threat vectors for potential cyber threats, which demands businesses to offer stricter compliance and safety for managed cloud solutions.
What businesses can expect
With only a small fraction of total businesses under the umbrella of CIIs, ESCIs, and FDIs, the Bill does not enforce any cybersecurity obligations on the business community at large. Entities that are newly labelled under CII, ESCI, or FDI status, however, can expect to receive support from the CSA to ensure compliance in accordance with the new standards and regulations set. This support begins with the CSA engaging owners to better understand the operating context, such as previously implemented cybersecurity measures and the organisation’s current cybersecurity capabilities.
It’s worth noting that the Bill also affords business owners recourse – entities concerned about their designation status affecting operations may file a formal appeal to be excluded, with just cause. Likewise, regulated entities can also appeal against CSA’s decisions, orders, directions, and codes of practice in the event of operational conflicts. Given the broad-stroke applications of CSA’s regulations, it is recommended that businesses prioritise consulting cybersecurity partners that understand the nuance of their industry. These cybersecurity partners can provide businesses with more personalised cybersecurity-compliant advice that doesn’t negatively impact operations.
Work with a trusted cybersecurity partner who is committed to bolstering your defences while keeping your business apprised of the latest trends in the industry. With the right cybersecurity consultant, businesses won’t have to worry about the sweeping changes ahead.
Key points to note for designated entities
Prior to the introduction of the Cybersecurity (Amendment) Bill, CIIs were only required to report cybersecurity incidents concerning critical infrastructure and computer systems under their direct purview. The new Bill steps up reporting standards and necessitates businesses designated as CIIs to put firmer reporting SOPs into place. This comes in the form of regular audit reports and risk assessments to be submitted to the CSA, in addition to routine participation in national security exercises to bolster cybersecurity.
Businesses designated as ESCIs will also be subjected to regulation, albeit to a lesser degree. For instance, there will be no need for ESCIs to submit audit reports or risk assessments to CSA, or participate in national security exercises regularly. In other words, ESCIs should be able to operate business as usual, with the caveat of some additional oversight from the CSA.
Outside of CIIs, ESCIs, and FDIs, the new Bill also highlights the importance of cloud data providers and data centres being responsible for the cybersecurity of such digital infrastructure. This includes strictly adhering to cybersecurity codes and standards of practice, and reporting any cybersecurity incidents to the CSA.
Need help navigating the complex world of regulation and compliance? Reach out to MyRepublic Business today and embrace a whole new level of cybersecurity with our team of experts.