Clifford Chance

Singapore's Cybersecurity (Amendment) Bill was passed by the Parliament on 7 May 2024. The Bill amends and updates the Cybersecurity Act 2018 to adapt to emerging technologies, a wider landscape of digital infrastructure providers, and evolving threat actors, and has potentially significant implications for any business that provides an 'essential service' in Singapore or provides digital infrastructure services either to or from Singapore. Here are some key takeaways from amended Act.

The amended Act imposes obligations on four groups of entities:

• Providers of Essential Services (ESPs). ESPs are obliged to ensure the cybersecurity of the computer systems - the critical information infrastructure ('CII') – used to deliver those services. The Act was originally drafted on the assumption that ESPs would own the CII supporting their services, and that the CII would be located in Singapore. The expanded coverage under the amended Act now includes ESPs who rely on third party vendors for the CII, as well as CII that is located outside of Singapore but is used to deliver an essential service in Singapore.
• Owners of Systems of Temporary Cybersecurity Concern (STCC). A STCC is a computer system which, for a limited period, is determined to be subject to a high risk of cybersecurity threat or incident, and whose disruption would have a significant impact on Singapore's national interests. A potential example of an STCC could be a vaccine distribution system which, although ad-hoc, may be targeted due to its high importance and the potential to impact the credibility of a nation.
• Entities of Special Cybersecurity Interest (ESCI). An ESCI is an entity whose disruption would have a significant impact on Singapore's national interests due to the sensitive nature of the information it stores or the function it performs. A potential example of an ESCI could be an autonomous university, which may be targeted by threat actors because of the research information held.
• Major Foundational Digital Infrastructure (FDI) Service Providers. FDI services will be designated in a schedule the amended Act, which currently lists 'cloud computing services' and 'data centre facility services'. An entity can be designated as a major provider of FDI services if they offer an FDI service (a) to persons in Singapore, and disruption of that service would likely impact the operations of a 'large number' of businesses in Singapore; or (b) wholly or partly from Singapore, and disruption of that service would likely impact the operations of a 'large number' of businesses either within or outside of Singapore.

Regulated entities are subject to a range of obligations, including providing information on the cybersecurity of the relevant computer systems, conducting periodic compliance audits, complying with codes of practice and technical standards, and notifying the Commissioner of Cybersecurity of relevant cybersecurity incidents. Additionally, ESPs engaging third-party vendors for CII will be required to obtain contractual commitments from those vendors to assist the ESPs in complying with the Act. Non-compliance can potentially result in criminal or civil penalties, which can reach up to 10% of annual turnover in Singapore.

The amendments, which will come into operation on a date to be appointed by the Minister and announced via notification in the Gazette, extend reach of the Act beyond traditional boundaries, encompassing a broader spectrum of entities and infrastructure that are integral to Singapore’s essential services and national interests. The Act’s expanded scope and the introduction of rigorous compliance measures underscore Singapore’s commitment to maintaining a resilient and secure digital ecosystem. Given its significance, businesses engaged in activities within and in connection with Singapore are encouraged to carefully consider the potential implications to their operations.