Singapore bill would impose new cybersecurity compliance rules

Publication August 2017


Reproduced with permission from Privacy & Security Law Report, 16 PVLR 975, 7/17/17. Copyright  2017 by The Bureau of National Affairs, Inc. (800-372-1033)

Companies providing critical infrastructure services in Singapore would have new cybersecurity compliance obligations under recently released draft legislation.

The new obligations would apply to companies involved in providing governmental, security and emergency, health-care, telecommunications, banking and finance, energy, water, media, land transport, air transport, and maritime services. They would include meeting cybersecurity standards to be specified later, conducting audits and risk analysis, and cooperating with regulatory investigations.

The bill, proposed by the Cyber Security Agency (CSA) of Singapore and Ministry for Communications and Information July 10, is aimed at protecting critical information infrastructure (CII) computers or computer systems from cyberattacks. It would require CII owners to notify the CSA of cyberattacks, regularly audit system security, conduct risk assessments, participate in cybersecurity exercises, and give the CSA access to computer and information during investigations.

Companies and executives that fail to respond to an information request would be subject to fines of up to S$100,000 ($72,654) and/or imprisonment for up to 2 years. Additional fines of up to S$5,000 ($3,633) per day would apply for refusals to comply following a conviction.

Many of the requirements in the draft bill are things that companies should already be doing, Vincent Loy, partner and Asia Pacific financial crime and cyber leader at PwC LLP in Singapore, told Bloomberg BNA. However, the bill would formalize cybersecurity requirements and give regulators the authority to hold companies liable if they don’t comply, he said.

Stella Cramer, co-head of the technology and innovation practice for Asia at Norton Rose Fulbright in Singapore, told Bloomberg BNA that the cost of compliance will increase if the draft bill becomes law, she said. however its the cost of doing business especially given the broad negative effect that recent cyberattacks such as WannaCry and Petya represent.

The draft proposes a flexible regulatory framework that will account for ‘‘the unique circumstances of each sector and requires industry to take a proactive approach to enhance cybersecurity before threats and incidents happen—based on the risk profile of the sector,’’ Cramer said.

Cybersecurity services licensing

The draft law requires many cybersecurity service providers to obtain a government license before performing or supplying services. Penetration testing services and managed security operations centers both require a governmentissued license, but licensing may be extended to additional services, Cramer said.

Cybersecurity licensing will be of particular interest to multinational companies, Loy said. Such requirements give the responsibility for vouching for thirdparty vendors to government, rather than leaving it to individual companies as is the case in some countries like U.K., he said.

Expanded authority for regulator

The legislation would allow the Minister for Communications and Information to appoint a cybersecurity commissioner vested with a broad investigative powers and responsibility for drawing up codes of conduct.

The CSA would have extensive powers to investigate cybersecurity threats and incidents, Cramer said. It could request documents from CII owners at any time, obtain access to computers impacted by a cyberattack, and install software or other equipment onto computer systems for the purpose of an investigation.

The proposed legislation would also:

  • authorize the commissioner to designate computers or computer systems as CII;
  • require CII owners to report significant cybersecurity incidents to the commissioner and any changes in ownership; and
  • grant the new cybersecurity minister power to extend emergency powers to persons and organizations to counter national cybersecurity threats.

The government is seeking public comment on the draft bill through Aug. 3.

In Singapore, bills are usually introduced by a minister on the government’s behalf and are subject to approval by Parliament and the president before becoming law.

By George Lynch
With assistance from Lien Hoang in Ho Chi Minh City, Vietnam
To contact the reporter on this story: George Lynch in Washington at
To contact the editor responsible for this story: Donald Aplin at

Recent publications

Subscribe and stay up to date with the latest legal news, information and events...