Alicia Zhuang, our Singapore International Associate Editor, reports on an amended Cybersecurity Bill, just introduced to the Singapore Parliament.
In July 2017, Singapore’s first draft Cybersecurity Bill (“Draft Bill”) was released for public consultation. We summarised it here.
According to the Ministry of Communications and Information (“MCI”) and the Cybersecurity Agency of Singapore (“CSA”), 92 submissions were received in response to the public consultation. The MCI and CSA issued a report summarising the feedback received, and responded to certain feedback (“Report”).
On 8 January 2018, an amended Cybersecurity Bill (“Amended Bill”) was introduced in Parliament.
This article summarises the key changes made to the Bill.
Owner of a critical information infrastructure
The Draft Bill defined the owner of a critical information infrastructure (“CII”) as a person who:
(a) has effective control over the operations of the CII and has the ability and right to carry out changes to the CII; or
(b) is responsible for ensuring the continuous functioning of the CII.
That was somewhat nebulous, and there was concern that parties in the supply chain supporting the operations of a CII, such as third party vendors, might also be tagged as owners of the CII.
Now, making things simpler, the Amended Bill defines an “owner” as the “legal owner” and every joint owner of the CII. Some submissions had suggested that third party vendors should also be responsible for the cybersecurity of CIIs, but the Report clarified that that such responsibility will remain on the shoulders of CII owners. If necessary, the CII owners can impose cybersecurity requirements contractually on the vendors.
Nonetheless, a person who is not the legal owner of the CII may still be saddled with the obligations of an owner if the legal owner can prove to the Commissioner of Cybersecurity (“Commissioner”) that:
(a) the legal owner is not able to comply with his/her duties of a CII owner under the Bill because s/he has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and
(b) that other person has effective control over the operations of the computer or computer system, and the ability and right to carry out changes to the computer or computer system.
Note: According to the Report, several submissions suggested that the definition of CII under the Draft Bill was too broad. Whilst the definition has not really changed in the Amended Bill, the Report clarified that computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs.
Obligation to disclose information to the Commissioner
In relation to potential CIIs
Under the Draft Bill, the Commissioner could require a person appearing to be operating a potential CII to provide information on the computer or computer system. Such a person a person was not obliged to disclose any information if s/he was “prohibited by any written law from disclosing such information”.
Singapore’s Interpretation Act defines “written law” as “the Constitution and all previous Constitutions having application to Singapore and all Acts, Ordinances and enactments by whatever name called and subsidiary legislation made thereunder for the time being in force in Singapore”.
Under the Amended Bill, the Commissioner can require a CII owner or person appearing to be exercising control over a potential CII, to provide information. Such a person is not obliged to disclose any information that is “subject to any right, privilege or immunity conferred or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information”.
In relation to CIIs
Under the Draft Bill, the Commissioner could require CII owners to furnish information on the CII. However, the CII owner was not obliged to disclose any information where s/he was prohibited by any written law from doing so. Secondly, a CII owner “who, in good faith, discloses any information to the Commissioner … is not treated as being in breach of any restriction upon the disclosure of information imposed by law, contract or rules of professional conduct”.
In comparison, the Amended Bill says that CII owners are not obliged to disclose any information that is “subject to any right, privilege or immunity conferred or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information”.
The Amended Bill also makes it clear that “the performance of a contractual obligation is not an excuse for not disclosing the information”.
Apart from this, the CII owner will not be treated as being in breach of any contractual obligations if his/her act or omission is done with reasonable care and in good faith, and for the purpose of complying with the Commissioner’s request for information on the CII.
Change in ownership of a CII
The Draft Bill required CII owners to inform the Commissioner of any change in the ownership of the CII, not later than 90 days before the date of the intended change.
Several submissions stated that this requirement was impractical, and the Amended Bill now requires CII owners to report such a change not later than 7 days after the date of change in ownership.
Duty to report cybersecurity incidents in respect of CII
Under the Draft Bill, CII owners were required to notify the Commissioner of “significant” cybersecurity incidents in respect of CII, or in respect of computer or computer systems under the owner’s control which were interconnected with or communicated with the CII. It was unclear what cybersecurity incidents would be considered “significant”.
Now, the Amended Bill pegs notification to “prescribed” cybersecurity incidents.
Cybersecurity audits and risk assessments of CII
The Draft Bill required CII owners to conduct an audit and a cybersecurity risk assessment at least once every three years.
According to the Report, there was feedback that this requirement was inadequate given the pace of technological change and the dynamic nature of the cybersecurity threat landscape.
Now, the Amended Bill requires an audit at least once every two years (or such higher frequency as may be directed by the Commissioner), and a cybersecurity risk assessment at least once a year. The Report clarified that the government would not be providing any grants to offset the costs of the audits and risk assessments.
Licensing of cybersecurity service providers
The licensing framework under the Draft Bill distinguished between “investigative” and “non-investigative” cybersecurity services. The former was defined as involving the circumventing of controls in a computer, the obtaining of a deep level of access to a computer, or the testing of the cybersecurity defences of a computer. The latter was defined as cybersecurity services that were not investigative.
The Amended Bill has done away with this strange, strained, split, and now merely requires a license to be obtained for providers of penetration testing services and managed security operations centre (SOC) monitoring services. (Note: The Report said that resellers of such services would also have to obtain licenses.)
The second reading of the Bill will take place at Parliament’s next available sitting.
If the Bill is passed in Parliament, Parts 3 and 4 of the Bill on CIIs, and any supporting provisions, may come into force a few months after. The Report indicates that CII owners will be given a grace period to comply with their obligations.
In comparison, there is no indication on when the licensing framework will take effect. The Report indicated that the CSA might hold further consultations with stakeholders on the detailed requirements to further enhance its practicability for service providers.