23 October 2018

Up close and personal with the Singaporean Cybersecurity Act

Due to a recent engagement we carried out an in-depth review of the new Singaporean Cybersecurity Act.

What do we think?

The Act is a bold approach to ensuring the security of a nation’s most critical infrastructure, which we think will be copied by other countries and may even be a model for large enterprises.

Why bold?

A fundamental challenge is that the level of cybersecurity protecting any piece of infrastructure at any given time is usually heavily dependent on a Chief Information Security Officer’s (CISO) ability to present cyber risk to those controlling the purse strings. The result is a varied levels of control and capability across some very important infrastructure.

So what is the answer? Like most things, depends who you ask. Singapore has taken the bold approach to regulate the cybersecurity of the technology infrastructure that the country needs to run smoothly.

Our key takeaways

  • The Act introduces a Cyber Commissioner who will “respond to cybersecurity incidents that threaten the national security, defence, economy, foreign relations, public health, public order or public safety, or any essential services, of Singapore, whether such cybersecurity incidents occur in or outside Singapore” – Interesting to see how this works in practice. Many global companies in this framework will be hesitant to provide that level of access to a foreign state.
  • The Act creates Critical Information Infrastructure (CII) in Singapore meaning “the computer or computer system which is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore” – These CIIs span most industries across both the public and private sector. It will be very interesting to see what they determine to be CIIs and how private companies deal with this. Even from an investment perspective, who pays to increase the security posture or the rewrite of the supporting business processes?
  • Each designated CII will have an owner who will be appointed statutory duties specific to the cybersecurity of the CII. – Yeah, these owners will be held to account by the Commissioner. Failure to fulfil their role will result in personal fines up to $100,000 or imprisonment for a term not exceeding 2 years. Given most companies already struggle defining the ‘owner’ of a system, will this push the ownership of these business/operational systems to CISOs?
  • The Act introduces a licencing framework for suppliers where “No person is to provide licensable cybersecurity service without licence”. – A very interesting one. The suppliers of cybersecurity services to the CIIs will need to have a license issued by the Commissioner. A sign of things to come in the supplier risk space perhaps?

The Act can be found here:  Singapore Cybersecurity Act 2018

If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.