Key Points of Singapore’s New Cybersecurity Act 2018

On 5 February 2018, the SG Parliament has passed the Cybersecurity Bill after it is significantly revised based on results of public consultation.  Below is a note of key points in the new law:

Critical Information Infrastructure (“CII”)

The new law limited the definition of CII to computers or computer systems that have been expressly designated as such by the Commissioner of Cybersecurity (“Commissioner”).

Its owner is defined to be legal owner or co-owner, which does not include someone who effective control or responsibility for its continuous functioning.  However, the Act introduces a mechanism allowing a person who has received a notice from the Commissioner designating a computer or computer system as a CII to request that the notice be instead sent to a third-party after showing that only that person has effective control over and the right to change the system.

Any change in beneficial or legal ownership (including any share in such ownership) must be reported not later than seven days after the date of change in ownership.   This is more practical than the bill, in which the change of ownership should be reported 90 days prior to the change.

The Act requires audits at least once every two years and risk assessments once a year.

The Cybersecurity Act requires owners of CII to report “prescribed” cybersecurity incidents or any other incidents specified by the Commissioner.

The Act removes vaguer reference to “recommended technical standards” in the context of the standard of performance expected from owners of CII.

Under the Cybersecurity Act, penetration testing and managed security operations centre (“SOC”) monitoring services cannot be performed without a licence.  A company does not require a separate license if a related company already has such a license.

A licensee must now only keep records for three years.

Any person to whom a notice for information is issued (by the Commissioner) is not obliged to disclose information protected by law, contract, or the rules of professional conduct.



Author: Donnie (豆哥)

Former academic in Law & Sociology, currently a lawyer, 15+ years experiences in IP and IT laws. 前任法律学者、现任滤师,专业过滤假货崴货(不限商品、服务、鸡汤鸡血);业余仁波切,负责解答精神问题。微信公号fadoufadou