Singapore: Implemented Cybersecurity Act 2018 including Critical Information Infrastructure (CII)

On 31 August 2018, parts 1 to 4, 6 and the First Schedule of the Cybersecurity Act were implemented, establishing a framework for the protection of critical information infrastructure (CII) against cybersecurity threats. Part 1 of the Act provides definitions, including "cybersecurity threat" and "cybersecurity incident". Section 4 of the Act establishes that a Cybersecurity Commissioner, a Deputy Commissioner, and Assistant Commissioners must be appointed who are responsible for the administration of the Act. Part 3 of the Act empowers the Commissioner to designate computer systems as Critical Information Infrastructure (CII) if they are located wholly or partly in Singapore and are necessary for the continuous delivery of an essential service and its loss would have a debilitating effect on the availability of the essential service in Singapore. As essential service count services essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. The designation as CII imposes constraints and obligations on the computer system, such as providing the Commission with information relating to the CII, mandatory compliance with codes of practice, standards of performance or written directions, mandatory notification of changes in ownership of the CII and of cybersecurity incidents, mandatory regular audits of the compliance of the CII with this Act, mandatory cybersecurity risk assessments of the CII and participation in cybersecurity exercises. The Commissioner can further require information of the owner of a CII regarding the design, configuration and security of the CII, and of any other computer or computer system within the owner's control. Sections 19 and 20 grant the Commissioner powers to investigate and respond to cybersecurity threats or incidents, depending on their severity. These powers include gathering information inspecting documents, and computers.