Cyber-security service providers must apply for licence by Oct 11

With cyber attacks on the rise during the Covid-19 pandemic and concerns over unethical or incompetent cyber-security service providers, there is a demand for credible ones to manage risks. But which of them can customers trust?

The decision will be easier to make, with a licensing framework launched yesterday by the Cyber Security Agency of Singapore (CSA).

Service providers, which verify if businesses are vulnerable to hacking and monitor information technology systems for suspicious activities, will have to apply to be licensed by Oct 11.

This requirement seeks to safeguard customers' interests, enabling them to identify credible providers and, with time, improve quality. It also covers resellers of licensable services.

Singapore is believed to be one of the first countries globally to introduce licensing for cyber-security service providers.

The scope of the licensing framework was set out earlier in the Cybersecurity Act that came into force in 2018. However, the implementation was delayed to give more time for industry consultation and to work out details.

The launch comes at a time when threats are growing.

A CSA report last July showed that "zombie" devices linked to the Internet and infected with malware that allows hackers to control them and launch cyber attacks, trebled in numbers here during the pandemic.

Reports also emerged in the past few weeks, after Russia's invasion of Ukraine in late February, that some countries - such as the United States, Germany and Italy - have warned about the risks of organisations using anti-virus software from Moscow-based Kaspersky, due to concerns that Russia might use it for cyber attacks.

On the aims of Singapore's licensing framework, CSA said in September last year that as risks become more widespread, the demand for credible cyber-security services will continue to grow.

But some services offered can be sensitive and intrusive. If the service providers' access to clients' systems and networks is abused, it can compromise and disrupt customer operations, said the agency. Hence, providers need to be fit and proper under the licensing framework.

CSA said yesterday that while applicants will be asked for their nationality, the same licensing requirements will apply to all providers if they provide licensable services to Singapore. Extra information to assess if they are fit and proper may be needed as well.

The agency also said last year that the "risks of services being carried out by incompetent or substandard providers are multi-fold". Licensing, thus, seeks to improve standards over time.

Licensing also aims to address an information gap faced by customers, especially smaller ones, by helping them to identify credible providers, said CSA.

One of the services that require licensing is "penetration testing", which checks if an organisation can identify and respond to simulated cyber-security attacks.

Another licensable service involves monitoring activities in computer systems to identify threats.

Organisations which offer licensable cyber-security services for free, and entities that provide such services to a related company, do not need to be licensed. The framework does not cover offerings for non-business consumers, such as anti-virus software.

Providers, either firms or individuals, who offer a licensable service without a licence after the deadline can be fined up to $50,000, jailed for up to two years or both.

Law firm Rajah & Tann Singapore said the framework helps it to identify qualified and capable cyber-security vendors, which gives it peace of mind.

"The framework may also provide a clearer direction as to how complaints against unethical or incompetent service providers can be raised by end users like Rajah & Tann Singapore when egregious errors resulting in a compromise of the firm's cyber security are made by a licensed provider," said Mr Ong Ba Sou, regional IT director at Rajah & Tann Singapore.