SINGAPORE - With cyber attacks on the rise during the Covid-19 pandemic and concerns over unethical or incompetent cyber-security service providers, there is a demand for credible providers to manage such risks.
But which firms can customers trust?
This decision will soon become easier to make, with a new licensing framework launched by the Cyber Security Agency of Singapore (CSA) on Monday (April 11).
Service providers, which verify if businesses are vulnerable to hacking and monitor information technology systems for suspicious activities, have to apply to be licensed by Oct 11.
This requirement seeks to safeguard the interests of customers, help them identify credible providers and, with time, improve quality. It also covers resellers of licensable services.
Singapore is believed to be one of the first countries globally to introduce licensing for cyber-security service providers.
The scope of the licensing framework was set out earlier in the Cybersecurity Act that came into force in 2018.
But the framework's implementation was delayed to give more time for industry consultation and to work out details.
The launch comes at a time when threats are growing.
A CSA report in July 2021 showed that "zombie" devices linked to the Internet, and infected with malware that allow hackers to control them and launch cyber attacks, tripled their numbers here during the pandemic.
Reports also emerged in the past few weeks after Russia's invasion of Ukraine in late February that some countries - such as the United States, Germany and Italy - have warned about the risks of organisations using anti-virus software from Moscow-based Kaspersky, due to concerns that Russia might use it for cyber attacks.
On the aims of Singapore's licensing framework, CSA said in September 2021 that as risks become more widespread, the demand for credible cyber-security services will continue to grow.
But some services offered can be sensitive and intrusive.
If the service providers' access to clients' systems and networks is abused, it can compromise and disrupt customer operations, said the agency. Hence, providers need to be fit and proper under the licensing framework.
Replying to media queries on Monday, CSA said that while applicants will be asked to provide their nationality, “the same licensing requirements will apply to all service providers as long as they are providing licensable services... to the Singapore market”.
“Additional information necessary for the licensing officer to make an assessment on whether the applicant is fit and proper may also be required,” it added.
The agency also said last year that the "risks of services being carried out by incompetent or substandard providers are multifold". Licensing, thus, seeks to improve standards over time.
Licensing aims to address an information gap faced by customers, especially smaller ones, by helping them to identify credible providers, said CSA.
Telco StarHub, one reseller of cyber-security services that provided feedback on the licensing framework, said that with the "growing importance of cyber security in today's digital world, we understand the need for a calibrated and effective licensing regime".
One of the services that require licensing is "penetration testing", which checks if an organisation can identify and respond to simulated cyber-security attacks.
Another licensable service is for monitoring activities in computer systems to identify threats.
Organisations that offer licensable cyber-security services for free, as well as entities that provide such services to a related company, do not need to be licensed.
The framework also does not cover offerings for non-business consumers, such as anti-virus software.
Providers, either companies or individuals, who offer a licensable service without a licence after the deadline can be fined up to $50,000, jailed for up to two years or both.
But providers who apply for a licence by Oct 11 can continue to offer their services until a decision on their application has been made.
Licensed service providers that fail to meet licensing conditions can have their licence revoked or suspended, and face a fine of up to $10,000 for each infringement, capped at $50,000 in total.
CSA sought public feedback on the licensing framework from September to October last year. Some respondents suggested that licensing be required only for providers that offer services to clients directly, and exclude sub-contractors or resellers.
And for providers that tap related businesses from the same corporate group here or overseas to offer services to the same customer, they asked that just one entity in the group needs to be licensed.
CSA said it understood the concerns over the possible administrative burden. But it added that requiring only one entity to be licensed might undermine regulatory objectives, especially since business partnerships, consortiums or legal arrangements might not be transparent to clients.
"So long as any such entities engage in the business of providing any licensable cyber-security service to the Singapore market, they must be licensed," said CSA.
Another suggestion was for a list of licensed providers to be published.
CSA said it will be provided on a new Cybersecurity Services Regulation Office website when applicants receive their licence.
The office will also enforce the framework such as imposing licence conditions, and develop and share resources on licensable services with customers.
Law firm Rajah & Tann Singapore said the framework helps it to identify qualified and capable cyber-security vendors, which gives it peace of mind.
"The framework may also provide a clearer direction as to how complaints against unethical or incompetent service providers can be raised by end users like Rajah & Tann Singapore when egregious errors resulting in a compromise of the firm's cyber security are made by a licensed provider," said Mr Ong Ba Sou, regional IT director at Rajah & Tann Singapore.
The law firm is concerned that accredited vendors may raise their service cost substantially. "The firm may also have limited options if there is now a potentially narrower selection of vendors to choose from," said Mr Ong.
The fees for the licence, which is valid for two years, are $500 for individuals and $1,000 for businesses.
A one-time 50 per cent waiver of the fees is available for all applications lodged before April 11, 2023, to support businesses due to the impact of Covid-19, said CSA.