Cyber Security Practitioner
Back to Contents

Volume: 4 Issue: 2
(February 2018)

singapore parliament passes cybersecurity bill parliament singapore passed cybersecurity bill 2018 5 february 2018 singapores cybersecurity act 2018 (‘


Share This Page

Singapore Parliament passes Cybersecurity Bill

The Parliament of Singapore passed the Cybersecurity Bill 2018 on 5 February 2018, which will become Singapore’s Cybersecurity Act 2018 (‘the Act’) and create a new regulatory framework for preventing, responding to and reporting on cyber security threats, appoint a ‘Cybersecurity Commissioner’ as a regulator and enforcer of cyber security standards for organisations defined as ‘critical information infrastructure’ (‘CII’), and introduce a licensing framework for providers of monitoring and penetration testing services as determined by the Act. “The Act is a recognition of the importance of cyber security in underpinning the economic activity and growth of Singapore, especially in relation to Singapore’s SmartNation initiatives,” states Jeremy Tan, Director at CMS Holborn Asia. “It is a positive development as it consolidates the sector-specific cyber security initiatives under a single piece of legislation and under the purview of a single authority which will provide more certainty for organisations in Singapore.”

Under the Act, legal owners of those organisations that are determined to be CII, which will be designated by the Cybersecurity Commissioner and currently includes organisations in sectors such as energy, healthcare and media, will be required to notify the Commissioner of cyber security incidents, establish mechanisms and processes for detecting threats and incidents, and perform cyber risk assessments and audits to be reported to the Commissioner. “Whilst the costs of implementing measures may be staggering, most or almost all organisations operating CII probably already have some form of cyber security measures arising from other sector-specific requirements,” comments Chong Kin Lim, Director at Drew & Napier. “There could be some scope for these organisations to streamline their processes for complying with all frameworks, with a view to minimising any additional compliance costs.” The Commissioner will also have powers to issue and amend directions and codes of practice to organisations operating CII, if the Commissioner deems it ‘necessary or expedient,’ and if the codes of practice and directions are consistent with the Act. “There is every possibility that the Commissioner would exercise its considerable powers, but the consultation process showed that the Government has been mindful of this possibility,” notes Bryan Tan, Partner at Pinsent Masons. “The Government has taken on a lot of feedback which emphasises that it was not the intention for the Commissioner to issue a great deal of directions and codes of practice.”

In a 5 February 2018 speech to the Parliament of Singapore, Dr Yaacob Ibrahim, the Minister for Communications and Information, responded to concerns from fellow MPs that the reporting and investigation requirements under the Act could be too onerous for organisations operating CII, stating that no action will be taken against CII owners as long as they complied with the obligations of the Act, and that there was no obligation for a CII owner to report a cyber security incident in respect of other infrastructure it owns if it is not connected to the CII. “When considered against the consequences that the Act is seeking to mitigate, my view is that the measures are not too onerous,” concludes Jeremy Tan. “However, it should be noted that there will be subsidiary legislation and directions issued pursuant to the Act which will very likely impose further obligations on organisations operating CII, and it remains to be seen whether these will be viewed as too onerous.”

At the time of publication, the Government has not announced the date at which the Act will be implemented.

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to cyber security practitioner
Subscribe to cyber security practitioner
Register for a Free Trial to cyber security practitioner
Sign up for e-mail alerts
cyber security practitioner Pricing

Social Media

Follow cyber security practitioner on TwitterView cyber security practitioner LinkedIn Profilecyber security practitioner RSS Feed