Breach Notification , Geo Focus: Asia , Geo-Specific
Singapore to Amend Cybersecurity Act to Secure Supply Chains
CSA Offers Revised Cybersecurity Law to Monitor Noncritical Digital InfrastructureSingapore's cybersecurity agency is asking for public comments on a proposed list of amendments to the country's Cybersecurity Act to enhance its ability to monitor supply chain security and digital technologies that fall outside the definition of critical information infrastructure.
See Also: 2023 State of the Phish: Asia-Pacific
The Cybersecurity Agency of Singapore released key aspects of the proposed bill on Friday, stating that the five-year-old law could soon become obsolete because of rapid shifts in technology.
CSA said businesses are adopting technologies such as cloud computing and new business models, so the Cybersecurity Act must therefore evolve.
The agency aims to require providers of critical infrastructure and essential services to share information with the CSA commissioner about existing agreements with cloud providers, software suppliers and supply chain vendors.
The amendments also seek to require CII operators and owners to conduct regular risk assessments and audits of vendors and to take full responsibility for the security of critical information and systems stored and operated by vendors or cloud providers. Providers of essential services also must report cybersecurity incidents affecting vendors or suppliers.
Under the proposal, the CSA commissioner will be able to conduct on-site inspections of critical information infrastructure if the provider has not complied with the act or specific codes, practices, standards and written directions from the commissioner.
Since the passage of the Cybersecurity Act in 2018, Singapore has taken incremental steps to enhance the cybersecurity of essential government systems and critical infrastructure. The government this year implemented 24 cybersecurity-enhancing actions recommended by the Public Sector Data Security Review Committee, including enhancing a third-party management framework to ensure outside partners handle government data appropriately (see: Singapore Government Keeps Data Security Incidents in Check).
Recommended actions included establishing a central contact point in the Government Data Office to enable the public to report government data incidents, instituting organizational key performance indicators for data security and appointing the Digital Government Executive Committee to oversee public sector data security.
In 2022, the government also completed the deployment of a data loss prevention tool across all government laptops and enhanced data logging and monitoring capabilities to prevent the accidental loss or unauthorized disclosure of government data to third parties.
The proposed amendments to the Cybersecurity Act aim to strengthen the security of digital infrastructure and online platforms not covered by the 2018 legislation.
"Disruptions to the functioning of digital infrastructure can also have a significant impact, given the potentially pervasive knock-on impact on the services that rely on them. There is therefore a need to ensure that the digital infrastructure that Singaporeans rely on, beyond those that are already designated as CII, is secure," CSA said.
The agency said the proposed amendments will give the CSA commissioner powers to designate digital services entities as "foundational digital infrastructure." Entities with this designation will be required to notify the commissioner about cybersecurity protocols and practices in place and cybersecurity incidents, and they must comply with specific codes, practices, standards and written directions from the commissioner.
"This update of the Cybersecurity Act is important to ensure that the necessary safeguards are put in place for the digital infrastructure and services that we use," CSA Commissioner David Koh said. "This way, Singaporeans and businesses can embrace digitalization with confidence, knowing that they are safe and secure in the digital domain."
Once the amendments become law, the commissioner will create rules on incident reporting requirements for major FDIs, such as the threshold at which a report is required, reporting timelines and the information to be reported. CSA also will be able to impose financial penalties that are "commensurate with the risks resulting from non-compliance and an effective deterrent effect against non-compliance."
The commissioner will have powers to designate organizations as "entities of special cybersecurity interest" if their compromise is likely to have a significant impact on the defense, foreign relations, economy, public health, public safety or public order of Singapore. Like FDIs, ESCIs will report cybersecurity incidents and information about cybersecurity protocols and practices to CSA from time to time or whenever such information is requested.
To prevent cybercriminals from disrupting essential computer systems and digital infrastructure when they are needed the most, the amendments also seek to designate specific computer systems as "systems of temporary cybersecurity concern" if they are critical to Singapore for a time-limited period. Such systems may include those that support key international events, such as the World Economic Forum, or those set up to support the distribution of vaccines during the COVID-19 pandemic.