26 July 2018
This article provides an overview of the Cybersecurity Act 2018 (the "Act"), which is expected to come into force in the second half of 2018. More importantly, the article sets out where you may be regulated under the Act.
Genesis and purpose
The Cybersecurity Bill was passed on 05 February 2018 and received the President's assent to become the Cybersecurity Act 2018 on 02 March 2018.
The purpose of the Act is to establish a legal framework for national cybersecurity in Singapore. The Act is binding on both the public and private sectors.
Critically, the Act:
Regulation of critical information infrastructure (Part 3 of the Act)
A computer or computer system is "critical information infrastructure" or ("CII") if it "is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and the computer or computer system is located wholly or partly in Singapore."
The First Schedule of the Act sets out the various services classified as "essential services" under the Act, and includes services like electricity generation; broadband internet; water supply; disease surveillance and response; banking services; civil defence, police and immigration services; air navigation and flight operations services; bus and rapid transit systems; shipping traffic management; broadcasting and newspaper publication; and Government services.
A system is not CII until the Commissioner designates it as such in writing.
In relation to CIIs, the Commissioner is empowered to:
If you are an owner of a CII, you will be required to:
Regulation of cybersecurity service providers (Part 5 of the Act)
No one may provide licensable cybersecurity services except under and in accordance with a license. Providing such services without a license is an offence. A license may be granted for up to 5 years, but the term and any conditions of the license will ultimately be determined by the licensing officer examining your application.
The list of "licensable cybersecurity services" is provided at the Second Schedule of the Act and comprises (i) managed security operations centre monitoring services; and (ii) penetration testing services.
Therefore, if you provide cybersecurity monitoring or "white hat" hacking/penetration testing services, you will be required to obtain a license.
Other key powers and regulations under the Act
Cybersecurity threats or incidents
The Commissioner is empowered to investigate and prevent cybersecurity threats or incidents ("Incidents"). The Commissioner's powers include questioning and taking statements from any person, requiring the production of records, and inspecting, copying, or taking extracts of those records.
The Act distinguishes between an ordinary Incident and a "serious" Incident – a "serious" incident (i) creates a risk of harm to CII; (ii) creates a risk of disruption to essential services; (iii) creates a threat to Singapore's national security, defence, economy, foreign relations, public health, public safety or public order (collectively, "National Security"); or (iv) the Incident is of a severe nature, whether by harm to persons, or number of computers, or value of the information put at risk.
Where the Commissioner is investigating or preventing a serious Incident, the Commissioner can also:
Where the Minister is satisfied that emergency cybersecurity measures are required to prevent, detect, or counter any serious and imminent threat to the provision of essential services or Singapore's National Security, the Minister can authorize any person or organization to take such emergency measures as are necessary.
However, these measures do not confer any right to obtain information that is protected by legal privilege.
General powers of investigation
Investigation officers can investigate offences or breaches of the Act, and are empowered to require persons to furnish identification and information, make copies or take possession of documents for further investigation, and attend before the investigating officer for questioning. An investigation officer can also enter premises under a warrant issued by a Magistrate.
Preservation of secrecy
The Minister and Commissioner, their deputies and assistants, and persons authorized or appointed under the Act including cybersecurity technical experts, are required to preserve the secrecy of all matters relating to (i) computers and computer systems; (ii) business, commercial, or official affairs of all persons; (iii) confidential information; and (iv) the identity persons who furnish information, that they may encounter in the performance of their duties.
Protection of informers
The Act affords some measure of whistle-blower/informer protection. Generally, no witness is permitted to disclose information on informers or to answer any question if the answer would lead to discovering the identity of an informer. If any evidence contains the identity or description of an informer, the Courts must cause that entry to be redacted to protect the informer.
However, if the Courts believe the informer wilfully made false statements, or that justice cannot be fully done without the identity of the informer, the Courts can require full disclosure of the informer.
The Minister can exempt any person or class of persons from any or all of the provisions of the Act, generally or in relation to a particular case, and subject to any conditions as may be prescribed.
For more updates, subscribe to our newsletter below.
Associate Director, BR Law Corporation
Post date. Edit this to change the date post was posted. Does not show up on published site. 26/7/2018
Subscribe to our Newsletter
Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.