SINGAPORE - Essential services operators in Singapore must declare cyber-security outages and attacks faced by suppliers, as well as require these suppliers to provide contractual assurances, as part of proposed changes to the Cybersecurity Act tabled on April 3.
The authorities can also require organisers of major events here and autonomous universities to disclose their cyber-security measures under the Cybersecurity (Amendment) Bill.
The Cyber Security Agency of Singapore (CSA) said that the Bill – the first change to the Act since it came into force in 2018 – seeks to expand its oversight of critical information infrastructure (CII), as threats can often be obscured with increased digitalisation.
“The key aspect of the Bill is that it will ensure that CII owners remain responsible for the cyber security and cyber resilience of the CII, even as they embrace new technological and business models, like the use of cloud computing,” said CSA. “CII owners will also be required to report more types of incidents, such as those that happen in their supply chains.”
The critical sectors are: energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security and emergency services, and government.
The changes will expand CSA’s oversight of CII and any linked third-party systems, as well as levers to audit the digital defences of major event organisers, universities and other groups that hold sensitive data or perform significant functions.
CII owners will still bear responsibility for cyber incidents, including those that take place within the systems of their vendors and even if the CII had been outsourced or offshored. Thus, the Bill will require essential services providers to obtain legally binding cyber-security commitments from third-party vendors.
Catch up on the news that everyone’s talking about
Thank you!
Sign up
By signing up, I accept SPH Media's Terms & Conditions and Privacy Policy as amended from time to time.
Yes, I would also like to receive SPH Media Group's SPH Media Limited, its related corporations and affiliates as well as their agents and authorised service providers.
marketing and promotions.
CII owners that fail to comply can face penalties for non-compliance.
The Bill also requires designated digital infrastructure players and entities of special cyber-security interest to follow similar obligations, under a separate framework where they are subject to “light touch” regulations as they are not owners of designated CII.
The Bill comes after several rounds of public consultations with companies, trade associations, government agencies and individuals since 2022.
Respondents generally understood the need for greater oversight, while some raised concerns about which systems in their periphery should be considered to be interconnected with their critical services, CSA said. Others asked about costs and how they would be inspected.
CSA said the proposed laws aim to address evolving tactics of cyber criminals to disrupt essential services, adding: “CSA holds the view that all CIIs, regardless of whether they are outsourced or owned by CII owners, should be subject to similar levels of cyber-security requirements.”
On how systems will be inspected, CSA said the proposed law makes clear that the authorities will step in only when it appears the CII owner has failed to comply.
Once the new policies are in force, organisations that do not comply can be penalised through fines, depending on the severity of the case.
Proposed changes to Cybersecurity Act of S’pore, and what triggered them
New law mooted to minimise digital service disruptions due to cloud, data centre outages
Unlock unlimited access to ST exclusive content, insights and analyses
ST One Digital - Annual
$9.90 $4.95 /month
Get offer
$59.40 for the first year and $118.80 per year thereafter.
ST One Digital - Monthly
29.90 $9.90 /month
Subscribe today
No lock-in contract
Unlock more knowledge, unlock more benefits
New feature: Stay up to date on important topics and follow your favourite writers with myST All subscriber-only content on ST app and straitstimes.com Easy access any time via ST app on one mobile device
Join ST's WhatsApp Channel and get the latest news and must-reads.
Cyber security Digitalisation Smart Nation Josephine Teo Singapore Parliament
Facebook Telegram More Whatsapp Linkedin Twitter FB Messenger Email Print Purchase Article Copy permalink https://str.sg/9axM
Read this subscriber-only article for free!
Just sign up for a free account and log in to continue reading.
Essential services providers to meet higher cyber-security standards under proposed law amendment
Sign up
Already have an account? Log in.
All done! This article is now fully available for you
Essential services providers to meet higher cyber-security standards under proposed law amendment
Read now
Please verify your e-mail to read this subscriber-only article in full
Essential services providers to meet higher cyber-security standards under proposed law amendment
Resend verification e-mail
The gift link for this subscriber-only article has expired.
Get unlimited access to all stories at $0.99/month for the first 3 months.
Subscribe now
You have reached your limit of subscriber-only articles this month.
Get unlimited access to all stories at $0.99/month for the first 3 months.
Subscribe now
Read and win!
Read 3 articles and stand to win rewards
Let's go! Terms & conditions apply
Frequently asked questions
Good job, you've read 3 articles today!
Spin the wheel now
Let's go! Terms & conditions apply
Frequently asked questions