May 29, 2024
This article was authored by Eva Kwok, Head of Cybersecurity, Hong Kong, and Eli Serota, Director, Cybersecurity & Data Privacy Communications.
On May 7, 2024, Singapore’s Parliament passed an Amendment proposed by the Cyber Security Agency of Singapore (CSA), the first update to the Cybersecurity Act since it came into force in 2018. If assented, the amendment will expand the oversight of the CSA, with a focus on enhancing the resilience of Singapore’s critical information infrastructure (CII). The aim is to keep pace with developments in the cyber threat landscape and the evolving technological operating environment. Sectors classified as CII include:
- Energy
- Water
- Banking and Finance
- Healthcare
- Transportation
- Infocom and Media
- Security and Emergency Services
- Government
Importantly, CII operators would be required to report a wider range of cybersecurity incidents affecting their systems and supply chains. Find our five key takeaways from the amendment below:
- Cybersecurity Incident Reporting
CII operators must report cybersecurity incidents aimed at their systems to the CSA, including those managed by or linked to their supply chains, if it impacts the CII’s services in any way.
- Increased CSA Oversight
Authorities can now designate Systems of Temporary Cybersecurity Concern
(STCC). This would include any computer systems that are critical to Singapore and are at a high risk of cyber attacks because of certain events or situations. For example, temporary systems used to support the distribution of critical vaccines during a pandemic would be considered STCC.
- New Classes of Regulated Entities
CSA will create two new classes of regulated entities, which will be subject to a
light-touch regulatory treatment. These are Entities of Special Cybersecurity Interest (ESCI) and Foundational Digital Infrastructure (FDI). CSA can designate organizations as ESCI if they hold sensitive information or perform a function of national interest, such as autonomous universities, and require that they comply with regulatory obligations.
- International Implications
CSA will be able to designate and regulate CIIs supporting an essential service from overseas, so long as its owner is in Singapore and the computer system would have been designated as a CII had it been located in Singapore.
- Digital Infrastructure Responsibility
Organizations that provide digital infrastructure services that are foundational to Singapore’s economy or way of life (such as cloud service providers and data centers) must shoulder responsibility for the cybersecurity of such digital infrastructures. This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA.
Next Steps for Organizations
If the amendment becomes law, CII operators will need to make updates to their cybersecurity incident reporting structures, along with changes to the cybersecurity measures surrounding their digital infrastructure. To start preparing for the changes now, CII operators should:
- Conduct a cybersecurity assessment to understand the current state of protections surrounding their digital infrastructure
- Ensure a comprehensive organizational incident response plan is in place that incorporates incident reporting timelines
- Engage in a cybersecurity incident response simulation exercise to thoroughly test the incident response plan
- Monitor for additional updates and guidance stemming from this amendment
The assent of this amendment to the Cybersecurity Act would ultimately lead to stronger protections surrounding Singapore’s digital economy and emerging technologies for CII owners. Organizations in Singapore, and those operating internationally who will be affected by this amendment, are encouraged to begin assessing current cybersecurity protocols, including communications apparatuses and regulatory reporting requirements, and planning for future updates that may be required should the amendment be published in The Gazette.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc. All rights reserved. fticonsulting.com