Proposed law will require owners of critical services like water, banking to report more types of cybersecurity incidents
WHAT THE BILL COVERS
At present, CII owners are only required to report cybersecurity incidents concerning the critical infrastructure, and computer systems under their control that are interconnected or communicate with the infrastructure.
If the new law is passed, owners will also have to report incidents targeting systems that are peripheral to CII.
Besides critical infrastructure, the Bill will also allow CSA to proactively secure STCCs to ensure the cybersecurity of these systems.
An example of an STCC would be the temporary systems used to support the distribution of critical vaccines during a pandemic. During the COVID-19 pandemic, vaccine distribution systems deployed by healthcare organisations around the world were targeted by malicious cyber actors.
In addition, CSA will create two new classes of regulated entities: Entities of Special Cybersecurity Interest (ESCI) and Foundational Digital Infrastructure (FDI).
These two classes will be subjected to “light touch” regulations as they are not critical information infrastructure.
ESCI, such as autonomous universities, may hold sensitive information or perform a function of national interest, such that their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, safety, or order of Singapore.
Under the Bill, CSA will be able to designate and regulate ESCI for cybersecurity. The obligations imposed on these entities will not be at the same levels as that for CIIs, Singapore’s cybersecurity agency said.
Lastly, the Bill also requires companies such as cloud service providers and data centres to be responsible for the cybersecurity of such digital infrastructure.
This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA, which will also not be at the level of a CII, said the agency.
CSA added that it had consulted extensively on the Bill, through stakeholder and public consultations. If passed, the agency said it will continue to consult closely with stakeholders to operationalise the Bill.