In brief: Singapore already enforces strict government oversight on critical technology infrastructures. City authorities now aim to extend this oversight to other "important" information technology providers as well.
Singapore is working to amend the state's Cybersecurity Bill, which was approved in 2018, to enforce new obligations for third-party companies providing crucial technology services. The Asian country has initiated a public consultation on the amendment, soliciting feedback over a one-month period that will last until January 15, 2024.
The original Cybersecurity Act grants the Cyber Security Agency of Singapore (CSA) oversight powers over national cybersecurity in Singapore. According to the proposed amendment, since the Act's enactment, the cyber-threat landscape and business environment have been constantly evolving. Singapore has emerged as one of the most digitally connected countries globally, leading to increased demands for connectivity, computing, and data storage.
These evolving needs have prompted new considerations regarding cybersecurity and government oversight. While the CSA has previously regulated Critical Information Infrastructure (CII) platforms, it now intends to extend cybersecurity guidance to "other important systems and infrastructure" as well. The Cybersecurity Act specifically identifies energy, water, banking and finance, healthcare, land transport, maritime, aviation, government, infocomm, media, and security and emergency services as providers of CII services.
The proposed amendment to the Cybersecurity Bill will introduce the new category of "foundational digital infrastructure" alongside CII services. This new category is expected to encompass data centers and cloud computing services operating within Singapore's borders. Operators of foundational infrastructure would be obligated to provide additional assurances to Singapore authorities, including the continuous delivery of services and effective prevention of cyber incidents.
The CSA also anticipates that providers of foundational infrastructure report cyber-attacks within hours and promptly comply with requests from Commissioner David Koh, including audits and requests for information on data center designs. The amendment grants the CSA the authority to conduct on-site inspections to verify compliance with the new rules.
Organizations that fail to comply would be subject to fines or other penalties, as outlined in the amendment. Temporary systems, such as those deployed for high-profile events, would need to adhere to similar rules for one year. The CSA is inviting members of the public and stakeholders to provide their feedback online via the Feedback on the Cybersecurity (Amendment) Bill form.