BR Law Corporation
br@brlawcorp.com +65 6899 9888
  • Our Team
  • Practice Areas
  • News and Insights
  • Join Us
  • Contact Us
br@brlawcorp.com +65 6899 9888

What you need to know about the upcoming Cybersecurity Act

 
26 July 2018
Dharma Sadasivan
Picture
This article provides an overview of the Cybersecurity Act 2018 (the "Act"), which is expected to come into force in the second half of 2018. More importantly, the article sets out where you may be regulated under the Act.
Genesis and purpose
The Cybersecurity Bill was passed on 05 February 2018 and received the President's assent to become the Cybersecurity Act 2018 on 02 March 2018.
 
The purpose of the Act is to establish a legal framework for national cybersecurity in Singapore. The Act is binding on both the public and private sectors.
 
Critically, the Act:
  • regulates critical information infrastructure;
  • regulates cybersecurity service providers; and
  • establishes and empowers a Commissioner of Cybersecurity (the "Commissioner") with administrative powers as well as powers to investigate, prevent, and respond to cybersecurity incidents of varying severity.
 
Regulation of critical information infrastructure (Part 3 of the Act)
A computer or computer system is "critical information infrastructure" or ("CII") if it "is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and the computer or computer system is located wholly or partly in Singapore."
 
The First Schedule of the Act sets out the various services classified as "essential services" under the Act, and includes services like electricity generation; broadband internet; water supply; disease surveillance and response; banking services; civil defence, police and immigration services; air navigation and flight operations services; bus and rapid transit systems; shipping traffic management; broadcasting and newspaper publication; and Government services.
 
A system is not CII until the Commissioner designates it as such in writing.
 
In relation to CIIs, the Commissioner is empowered to:
  • obtain information from the computer or computer system owner (the "Owner") to determine if it is CII;
  • require the Owner to furnish information about the CII once it has been designated as such;
  • withdraw the CII designation;
  • issue or approve codes of practice or standards of performance which must be observed by every CII owner;
  • issue written directions to owners of CII, including action to be taken in relation to cybersecurity threats, compliance with any code of practice or standard of performance, and audits of the CII owner;
  • order its own audits of CII owners; and
  • conduct cybersecurity exercises to test the readiness of CII owners in responding to cybersecurity incidents.
 
If you are an owner of a CII, you will be required to:
  • comply with the Commissioner's directions and requests for information;
  • adhere to codes of practice and standards of performance that apply to the CII;
  • notify the Commissioner of any changes in ownership of the CII;
  • report cybersecurity incidents in respect of CII and establish mechanisms and processes for detecting cybersecurity threats and incidents in respect of the CII;
  • conduct an audit for compliance of the CII with the Act every 2 years and furnish the results to the Commissioner;
  • conduct an annual cybersecurity risk assessment and furnish the results to the Commissioner; and
  • participate in cybersecurity exercises if directed in writing by the Commissioner.
 
Regulation of cybersecurity service providers (Part 5 of the Act)
No one may provide licensable cybersecurity services except under and in accordance with a license. Providing such services without a license is an offence. A license may be granted for up to 5 years, but the term and any conditions of the license will ultimately be determined by the licensing officer examining your application.
 
The list of "licensable cybersecurity services" is provided at the Second Schedule of the Act and comprises (i) managed security operations centre monitoring services; and (ii) penetration testing services.
 
Therefore, if you provide cybersecurity monitoring or "white hat" hacking/penetration testing services, you will be required to obtain a license.
 
Other key powers and regulations under the Act
 
Cybersecurity threats or incidents
The Commissioner is empowered to investigate and prevent cybersecurity threats or incidents ("Incidents"). The Commissioner's powers include questioning and taking statements from any person, requiring the production of records, and inspecting, copying, or taking extracts of those records.
 
The Act distinguishes between an ordinary Incident and a "serious" Incident – a "serious" incident (i) creates a risk of harm to CII; (ii) creates a risk of disruption to essential services; (iii) creates a threat to Singapore's national security, defence, economy, foreign relations, public health, public safety or public order (collectively, "National Security"); or (iv) the Incident is of a severe nature, whether by harm to persons, or number of computers, or value of the information put at risk.
 
Where the Commissioner is investigating or preventing a serious Incident, the Commissioner can also:
  • direct persons to carry out or cease activities to minimize cybersecurity vulnerabilities;
  • require the owner of a computer or computer system to assist with the Commissioner's investigation;
  • enter premises upon giving reasonable notice if there is a reasonable suspicion that an affected computer or computer system is or was within the premises;
  • inspect computers or computer systems related to the Incident;
  • scan a computer or computer system for cybersecurity vulnerabilities;
  • take copies or extracts of electronic records or computer programs suspected to be affected by the Incident; and
  • subject to the owner's consent or the written authorization of the Commissioner, take possession of any computer or equipment for further analysis.
 
Emergency powers
Where the Minister is satisfied that emergency cybersecurity measures are required to prevent, detect, or counter any serious and imminent threat to the provision of essential services or Singapore's National Security, the Minister can authorize any person or organization to take such emergency measures as are necessary.
 
However, these measures do not confer any right to obtain information that is protected by legal privilege.
 
General powers of investigation
Investigation officers can investigate offences or breaches of the Act, and are empowered to require persons to furnish identification and information, make copies or take possession of documents for further investigation, and attend before the investigating officer for questioning. An investigation officer can also enter premises under a warrant issued by a Magistrate.
 
Preservation of secrecy
The Minister and Commissioner, their deputies and assistants, and persons authorized or appointed under the Act including cybersecurity technical experts, are required to preserve the secrecy of all matters relating to (i) computers and computer systems; (ii) business, commercial, or official affairs of all persons; (iii) confidential information; and (iv) the identity persons who furnish information, that they may encounter in the performance of their duties.
 
Protection of informers
The Act affords some measure of whistle-blower/informer protection. Generally, no witness is permitted to disclose information on informers or to answer any question if the answer would lead to discovering the identity of an informer. If any evidence contains the identity or description of an informer, the Courts must cause that entry to be redacted to protect the informer.
 
However, if the Courts believe the informer wilfully made false statements, or that justice cannot be fully done without the identity of the informer, the Courts can require full disclosure of the informer.
 
General exemptions
The Minister can exempt any person or class of persons from any or all of the provisions of the Act, generally or in relation to a particular case, and subject to any conditions as may be prescribed.
 
For more updates, subscribe to our newsletter below.
 

Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com

Post date. Edit this to change the date post was posted. Does not show up on published site. 26/7/2018


Your comment will be posted after it is approved.


Leave a Reply.

    We're Here To Help

    Our team welcome any comments or questions and will gladly assist you with your enquiry. You can call us on +65 6899 9888 or fill out our simple contact form. 

    Disclaimer

    The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of  publication, but may no longer be, now or in the future, in the employ of the firm.

    Subscribe to our Newsletter

    Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
    Subscribe to Newsletter

    RSS Feed

    Categories

    All
    Awards And Accolades
    Commercial Transactions
    Conveyancing
    Corporate Law
    COVID19
    Criminal Law
    Dispute Resolution
    Family And Matrimonial Law
    Intellectual Property
    International Law
    Personal Data Protection
    Probate And Administration
    Technology
    Wills And Trusts

    Archives

    February 2023
    November 2022
    June 2022
    May 2022
    April 2022
    March 2022
    November 2021
    October 2021
    September 2021
    July 2021
    May 2021
    April 2021
    October 2020
    September 2020
    July 2020
    May 2020
    April 2020
    January 2020
    October 2019
    June 2019
    March 2019
    February 2019
    January 2019
    December 2018
    August 2018
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    September 2017
    August 2017
    January 2017
    September 2016
    March 2015
    January 2015
    July 2014
    June 2014
    May 2014
    April 2014

Firm Brochure

Download

Practice Areas

Subscribe to our quarterly newsletter to keep up to date with a wealth of insights from the BR Law.
Subscribe to Newsletter

Contact Us

br@brlawcorp.com
 
Main Branch - Republic Plaza
9 Raffles Place
#08-03 Republic Plaza
Singapore 048619
+65 6388 1717 Telephone
+65 6394 7398 Fax

Branch Office - Bank of China
4 Battery Road #29-00
Bank of China
Singapore 049908
+65 6899 9888 Telephone
+65 6338 5377 Fax

Branch Office - United Square
101 Thomson Road
#26-02/04 United Square
Singapore 307591
+65 6336 1717 Telephone
+65 6394 7318 Fax

Awards and Accolades

Picture
Terms of Use​  •  Privacy Statement
​© Copyright 2018 BR Law Corporation. Registered in Singapore (UEN: 200312051N).