On 5 February 2018, the SG Parliament has passed the Cybersecurity Bill after it is significantly revised based on results of public consultation. Below is a note of key points in the new law:
Critical Information Infrastructure (“CII”)
The new law limited the definition of CII to computers or computer systems that have been expressly designated as such by the Commissioner of Cybersecurity (“Commissioner”).
Its owner is defined to be legal owner or co-owner, which does not include someone who effective control or responsibility for its continuous functioning. However, the Act introduces a mechanism allowing a person who has received a notice from the Commissioner designating a computer or computer system as a CII to request that the notice be instead sent to a third-party after showing that only that person has effective control over and the right to change the system.
Any change in beneficial or legal ownership (including any share in such ownership) must be reported not later than seven days after the date of change in ownership. This is more practical than the bill, in which the change of ownership should be reported 90 days prior to the change.
The Act requires audits at least once every two years and risk assessments once a year.
The Cybersecurity Act requires owners of CII to report “prescribed” cybersecurity incidents or any other incidents specified by the Commissioner.
The Act removes vaguer reference to “recommended technical standards” in the context of the standard of performance expected from owners of CII.
Under the Cybersecurity Act, penetration testing and managed security operations centre (“SOC”) monitoring services cannot be performed without a licence. A company does not require a separate license if a related company already has such a license.
A licensee must now only keep records for three years.
Any person to whom a notice for information is issued (by the Commissioner) is not obliged to disclose information protected by law, contract, or the rules of professional conduct.
