Out-Law / Your Daily Need-To-Know

Singapore starts licensing cyber security service providers

Out-Law News | 13 Apr 2022 | 9:18 am | 1 min. read

The Cyber Security Agency of Singapore (CSA) has launched new licensing rules for cybersecurity service providers. The CSA has done so because it wants to protect consumers’ interests and solve the information asymmetry between consumers and providers.

The CSA will provide licences to two types of providers, which are providing penetration testing and managed security operations centre monitoring services. They include companies or individuals who are directly engaged for such services, third-party providers that support such companies, and resellers of the licensable cybersecurity services.

Mark Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, said: “In order to maximise the benefits of a digitalised economy, a stable and reliable cybersecurity framework is a key feature. In particular, with the rapid growth of e-commerce, proliferation of community marketplace platforms, social media platforms and accelerated digitalisation, it is clear that the number of online transactions being carried out globally will continue to increase as well. Consequentially, an increasingly number of people and businesses are likely to continue to face cyber attacks as a result of the foregoing, which will in turn lead to an increased demand for credible cybersecurity providers in order to mitigate such risks.”

“With the launch of this licensing framework, it is envisaged that customers seeking to engage cybersecurity service providers in Singapore will have a somewhat easier decision making process, as this is expected to assist them to identify qualified and credible cybersecurity service providers in this regard,” he said.

Under the new rules, existing cybersecurity service providers will apply for a licence or stop providing such services until 11 October. After that date, if a person provides any licensable cybersecurity service to another person without a licence will face up to two years in jail, a maximum S$50,000 fine, or both.

Each licence is valid for two years, and costs S$500 for individuals and S$1,000 for businesses. The CSA will offer a one-time 50% reduction of the licence fees for all applications submitted before 11 April 2023.

The CSA launched the rules after it finished a four-week consultation process from 20 September to 18 October 2021. The CSA set up the Cybersecurity Services Regulation Office (CSRO) to manage the licensing rules and all licensing related matters.