To beef up the country’s defences against increasingly sophisticated cyber attacks, new laws have been proposed that, among other things, require owners of critical information infrastructure (CII) in 11 key sectors to report any cyber security incidents, and to share information with the authorities when ordered.

These sectors provide essential services and comprise government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime.

The draft Cybersecurity Bill also proposes to license cyber security service providers and practitioners, starting with those providing penetration testing and managed security operations centre services.

Public consultation for the proposed laws began on Monday, and closes on Aug 3.

The Bill may supersede existing secrecy laws in the various sectors, and establishes a framework to manage cyber security in Singapore.

It also gives the Cyber Security Agency (CSA) powers to carry out its functions.

Under the proposed Bill, public and private-sector owners of CII — defined as computer systems necessary for the continuous delivery of essential services — will have certain statutory duties, such as reporting cyber attacks to the Commissioner of Cybersecurity, and carrying out audits, risk assessments as well as participating in cyber security exercises.

The list of CII will be constantly evaluated, and additions will be made when necessary by the CSA.

While the CII owners will not be directly penalised for cyber security breaches, they are liable for criminal offences “in cases where they fail to perform their duties wilfully, or fail to comply with the commissioner’s directions without reasonable excuse”, based on the public consultation paper.

In such cases, they could be fined up to S$100,000, and jailed for a maximum of two years if convicted.

CSA chief executive officer David Koh said that the draft Bill is different from existing legislation — such as the Computer Misuse Act — in terms of having an expanded scope, officially designating CII, and spelling out clearly the duties of CII owners, for instance.

“The (draft) Bill also aims to raise our overall cyber security posture, by licensing certain cyber security service providers,” he said.

A framework will be established for the sharing of cyber security information with CSA officers. This will be for the purpose of preventing, detecting or investigating any cyber security threat or incident.

If necessary, any relevant organisations that are outside the 11 key sectors may be compelled to share information with the CSA.

The licensing regime was proposed in light of the “need for more credible services, as cyber security risks become more mainstream”, said the CSA. Nevertheless, in-house providers will be exempted.

Two types of licences are proposed for investigative and non-investigative cyber security services. To meet licensing requirements, service providers must have key executive officers, who are fit and proper persons, comply with a code of ethics and retain service records for five years, among others.

Under the new laws, unlicensed cyber service providers, for example, could be fined as much as S$50,000, or jailed for a maximum of two years, or both.

Cyber security experts and lawyers TODAY spoke to welcomed the draft Bill, which “elevates” cyber security in sectors providing essential services “from what was previously a decision left to the business owner’s discretion”, as Mr Steve Lam, a partner at Ernst & Young Advisory, put it.

Mr Vincent Loy, Cyber and Financial Crime leader at PWC, noted that it specifically places responsibility on individuals, rather than organisations.

Under the draft Bill, senior management could be held liable for specific offences.

“Now someone is personally liable, and he can go to jail or has to pay a fine. This creates more impact, and highlights the importance of complying with the rules,” Mr Loy said.

Lawyer Bryan Tan of Pinsent Masons added: “In future, people do really need to pay attention, as the laws would have more bite than ever before.”

He noted that with the licensing of penetration testing, a line would be drawn between white-hat and blackhat hackers, and this would encourage legitimate hackers to get licensed.

The licensing regime would “improve assurance on security and safety”, as well as raise quality of cyber security services, said Mr Jack Ow, Intellectual Property & Technology partner at RHTLaw Taylor Wessing.

KEY THRUSTS OF THE PROPOSED CYBERSECURITY BILL

A total of 11 sectors will have to comply with the proposed Bill. Apart from the government, others include security and emergency, healthcare, telecommunications, banking and finance, water and media sectors.

Critical information infrastructure (CII) owners in these sectors will have to report cyber attacks, carry out audits and risk assessments, as well as take part in cyber security exercises, among other statutory duties.

CII owners are liable if they wilfully fail to comply with any of their duties.

Organisations will be compelled to share cyber security information with Cyber Security Agency of Singapore officers, in order to investigate any cyber security threat or attack.

Cyber security service providers and practitioners will be licensed, starting with those providing penetration testing and managed security operations centre services.

Source:
courtesy of TODAY

by TAN WEIZHEN

If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]