Out-Law News 2 min. read
15 Nov 2017, 9:20 am
The Ministry of Communications and Information (MCI) and the Cyber Security Agency (CSA) clarified the position in responding to feedback received to a consultation on the planned Cybersecurity Bill. They said businesses had raised concerns about the potential scope of the Bill, which will apply to critical information infrastructures (CIIs).
"Some respondents felt that the proposed definition of CIIs was too broad and asked for more clarity on the scope of 'computers' and 'computer systems' that might be designated as CIIs," the MCI and CSA said. "We wish to clarify that this definition is intended to formalise our existing engagements with CII stakeholders, which has been in place since 2013."
"We will amend the Bill to clarify that only systems which have been explicitly designated by the Commissioner will be considered CIIs. All other computers and computer systems will not be considered CIIs, and the obligations in Part 3 of the Bill therefore do not apply to them. Specifically, computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs, therefore third-party vendors will not be considered as owners of CIIs," it said.
According to the original proposals for the Bill, all security breaches affecting CIIs in Singapore would need to be reported by the infrastructure's operators. CII would also be subject to regular audits, and operators would be obliged to conduct regular risk assessments.
The MCI and CSA said that the Bill would be amended to "streamline" some of the duties of CII owners under the new laws so that they fit with existing obligations the organisations face under sector regulations.
"The appointment of assistant commissioners to oversee CIIs in each sector will ensure that the Bill requirements are sensible and take into account existing sector-specific requirements, including international requirements," the MCI and CSA said. "This is because the sector regulators understand the unique contexts and complexities in each sector, and are in a good position to balance the sectors’ cybersecurity needs and business requirements."
Provisions concerning the licensing of cybersecurity service providers will also be amended in response to industry feedback, the government said.
"To strike a balance between industry development and security needs, MCI and CSA intend to simplify the licensing framework by doing away with the licensing of individual cybersecurity professionals, and removing the distinction between 'investigative' and 'non-investigative' types of licensable services," the MCI and CSA said.
"This will allow the Bill to be more future-proof, and enable it to stay relevant even as cybersecurity services continue to evolve. At this point, we intend to license only penetration testing and managed security operations centre (SOC) monitoring service providers, as such services are already mainstream and widely-adopted," they said.
Bryan Tan, a technology law expert at Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law.com, said: "The Cybersecurity Bill is ground-breaking so it will take time to forge a position which balances the interests while achieving its desired effect. The large number of responses to the public consultation, not just from potential CII owners, is a good sign of healthy interest."