Singapore: Signed Cybersecurity Act 2018

On 2 March 2018, the Cybersecurity Act was signed by the President of Singapore, establishing a framework for the protection of critical information infrastructure (CII) against cybersecurity threats. Part 1 of the Act provides definitions, including "cybersecurity threat" and "cybersecurity incident". Section 4 of the Act establishes that a Cybersecurity Commissioner, a Deputy Commissioner, and Assistant Commissioners must be appointed who are responsible for the administration of the Act. Part 3 of the Act empowers the Commissioner to designate computer systems as Critical Information Infrastructure (CII) if they are located wholly or partly in Singapore and are necessary for the continuous delivery of an essential service and its loss would have a debilitating effect on the availability of the essential service in Singapore. As essential service count services essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. The designation as CII imposes constraints and obligations on the computer system, such as providing the Commission with information relating to the CII, mandatory compliance with codes of practice, standards of performance or written directions, mandatory notification of changes in ownership of the CII and of cybersecurity incidents, mandatory regular audits of the compliance of the CII with this Act, mandatory cybersecurity risk assessments of the CII and participation in cybersecurity exercises. The Commissioner can further require information of the owner of a CII regarding the design, configuration and security of the CII, and of any other computer or computer system within the owner's control. Sections 19 and 20 grant the Commissioner powers to investigate and respond to cybersecurity threats or incidents, depending on their severity. These powers include gathering information inspecting documents, and computers. Lastly, Part 5 of the Act establishes the licensing framework for cybersecurity service providers in Singapore and makes it illegal to offer or advertise licensable cybersecurity services without a license. Applications for licenses can be denied if the applicant is unfit or poses a security risk. The licensing officer can impose conditions on licenses and take disciplinary actions, including revoking or suspending licenses.