SINGAPORE - Critical information infrastructure (CII) owners in Singapore must report security breaches, and cyber-security vendors providing highly sensitive services here will need to be licensed if a proposed Cybersecurity Bill gets the greenlight.
The draft Bill was released on Monday (July 10) for public consultation.
It follows last October's announcement of a high-level cyber-security strategy that includes strengthening global partnerships and directing more funds to plug security gaps in CII, such as those that run telecommunications, transport, healthcare, banking and energy services.
Singapore's Cyber Security Agency (CSA), which spent almost two years working on the new law, said the overarching Bill is consistent with efforts to raise Singapore's cyber-security posture.
"The current legislation, the Computer Misuse and Cybersecurity Act, focuses more on cyber crime. As the (threat) landscape evolves, it is better to have an omnibus Bill that oversees the cyber security of (essential services) as a whole," said CSA chief executive David Koh.
The Bill aims to harmonise the requirements to protect CII across the public and private sectors. It also aims to clarify organisations' obligations to share information to facilitate in the investigations of cyber-security threats or incidents undertaken by CSA.
For instance, banking and privacy rules that forbid the sharing of confidential information will be superseded by the Cybersecurity Bill.
The Bill also confers power on CSA's chief as Commissioner of Cybersecurity to investigate threats and incidents to ensure that essential services here are not disrupted in the event of a cyber attack.
Citing the recent WannaCry and NotPetya ransomware attacks, Mr Koh said: "Around the world we have seen attacks affecting critical infrastructure such as energy and power supply."
He warned that Singapore is vulnerable even though its critical sectors were not disrupted by the ransomware.
Proactive measures, spelt out for the first time, seek to minimise disruption to essential service when such attacks happen. They include mandating CII owners to do the following:
- Notify the commissioner of the CII suffering a cyber-security attack;
- Conduct regular system audits by a commissioner-approved third-party;
- Conduct regular risk assessments of the CII;
- Comply with directions issued by the commissioner, including providing access to premises, computers or information during investigations.
Depending on the offences, the maximum penalty is a fine of $100,000 or jail term of up to 10 years.
This complements existing fines imposed when there are service disruptions in critical sectors. In the telco sector, for instance, the maximum fine that its regulator can impose for contravening the Telecom Service Resiliency Code, which sets out minimum service standards, is $1 million or 10 per cent of the annual turnover of a licensee, whichever is higher.
Vendors providing services in two areas - investigative work that involves hacking and forensic examination, and non-investigative work such as managed security operations - must be licensed, just like locksmiths are licensed in Singapore. Investigative cyber-security service practitioners such as hackers must also apply for an individual licence. Those found guilty of not having the required licences face a maximum fine of $50,000 or imprisonment term not exceeding two years, or both.
The consultation ends on Aug 3.
PwC Singapore's Asia-Pacific cyber-crime and financial crime leader Vincent Loy said: "It is a matter of (time that) cyber-security incidents happen in Singapore. This cyber-security Bill will provide a good foundation for Singapore to manage cyber-security risk... for the continuous delivery of essential services."