New licensing conditions for cyber-security service providers to kick in by early 2022

The licence aims to give greater assurance of safety to customers and raise the quality of the providers, said the Cyber Security Agency of Singapore.
The licence aims to give greater assurance of safety to customers and raise the quality of the providers, said the Cyber Security Agency of Singapore.ST PHOTO: GAVIN FOO

SINGAPORE - Cyber-security service providers, which verify if businesses are vulnerable to hacking and monitor information technology systems for suspicious activities, will soon have to be licensed.

This aims to give greater assurance of safety to customers and raise the quality of the providers, said the Cyber Security Agency of Singapore (CSA) on Monday (Sept 20).

The providers, which can be companies or individuals, will be licensed under a new framework expected to kick in by early next year. CSA has launched a public consultation on the licensing conditions and legislation.

Service providers will be given six months from the start of the framework to apply for a licence.

One of the services to be licensed is "penetration testing", which checks if an organisation can identify and respond to simulated cyber-security attacks.

The other licensable service entails monitoring activities in computer systems to identify threats.

If these services are offered without a licence, providers can be fined up to $50,000, jailed for up to two years, or both, if convicted.

Licences can also be revoked or suspended. CSA can fine an errant company or individual up to $10,000 for each failure to comply with a licensing condition. The total fine should not exceed $50,000 for various conditions that were not complied with on a particular occasion.

The requirements include needing key officers to be "fit and proper". They should not have any criminal convictions or judgment against them in civil proceedings involving fraud, dishonesty, or morally depraved or wicked behaviour.

Companies or individuals must inform CSA at least 30 days before the appointment of a new key officer. They must also provide information to help it investigate any potential breaches of the licence.

They also need to keep basic records of the services provided for at least three years, including client names and details of the work done, and keep clients' information confidential.

The framework does not cover offerings for non-business consumers, such as anti-virus software or services that monitor e-mails for malware.

Singapore is believed to be one of the first countries in the world to introduce licensing for cyber-security service providers.

The consultation on the licensing conditions also comes after a July report by CSA showed that cyber threats here have risen.

For instance, "zombie" devices linked to the Internet, and infected with malware that allow hackers to control them and launch cyber attacks, have tripled their numbers here amid the Covid-19 pandemic.

An average of 6,600 malware-laced devices, also called botnet drones, were observed here last year on a daily basis, a big jump from 2,300 in 2019.

On the aims of the framework, CSA said that as cyber-security risks become more widespread, the demand for credible cyber-security services will continue to grow.

But some services offered can be sensitive and intrusive. If the service providers' access to clients' systems and networks is abused, it can compromise and disrupt customer operations, said the agency. Hence, the providers need to be fit and proper.

Licensing also seeks to improve standards. CSA noted that the "risks of services being carried out by incompetent or substandard providers are multifold". They could cause computer systems to become vulnerable or damaged and lose information. They could even endanger other systems.

Even so, CSA said it does not initially intend to impose quality requirements on service providers in a bid to strike a balance between industry development and cyber-security needs.

"Nonetheless, it is envisaged that licensing could serve as the means through which the quality of (service providers) could be raised over time in future, such as through the introduction of a code of ethics or certain baseline competency requirements," it added.

Licensing also aims to address an information gap that can exist between service providers and their customers by helping the latter identify credible providers.

CSA said customers, especially smaller buyers, may not have expert knowledge and not know which providers are ethical or of good quality. This could lead to some being unable to get "appropriate cyber-security services from credible service providers for their risks and budget".

ST Engineering, which offers licensable services, views the new framework as relevant and viable for cyber-security service providers, regardless of the scale of their operations.

Mr Goh Eng Choon, ST Engineering's president of cyber business, said that "being a licensee endorsed by CSA would give customers added assurance of our service quality and the skills of our certified professionals, as well as demonstrate our commitment to ethical operations and stringent standards".

CSA estimates that there are more than 150 licence applications to be submitted.

The licence, new or renewed, is expected to last for two years. The fee is $1,000 for business entities and $500 for individuals, such as freelancers or a sole proprietorship.

But due to the pandemic, 50 per cent of the fees will be waived for applications lodged in the first 12 months from the start of the licensing framework.

Details of the industry consultation on the framework can be found at CSA's website and the public has until 5pm on Oct 18 to give feedback.