Published by rhtlaw at July 11, 2017 RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in The Business Times article titled “Cybersecurity Bill seeks to protect critical information infrastructure”.
The article was first published in The Business Times on 11 July 2017.
Cybersecurity Bill seeks to protect critical information infrastructure
Source: The Business Times © Singapore Press Holdings Ltd.
Date: 11 July 2017
Author: Amit Roy Choudhury
AS cyberattacks get more sophisticated and widespread, Singapore on Monday unveiled a comprehensive draft Cybersecurity Bill which seeks to protect Singapore's critical information infrastructure (CII), give more powers to the Cyber Security Agency (CSA), ensure proper information sharing during attacks, and introduce a licencing provision to regulate and ensure quality cybersecurity services are available here.
The draft bill was released on Monday for public consultations and this process will continue until Aug 3. After changes, if any, it is likely to be tabled in Parliament for first reading by the end of this year. Work on the legislation started in late-2015.
Under the bill, owners of CII will have to immediately inform CSA of a breach and share all relevant information. The bill sets out well-defined measures that CII owners need to undertake.
These include, among others, providing technical information relating to the CII to CSA, conducting of compliance audits and risk assessments as well as compliance with codes of practice and standards of performance and issued directions (from the regulatory agencies). These measures are expected to be undertaken irrespective of whether there has been a breach or not.
For CIIs, wilful non-compliance of duties generally carries a fine of up to S$100,000 and imprisonment of up to two years. These fines are separate from standard fines that are already in place in case of service disruption in CII sectors.
The bill will provide CSA with enhanced powers to manage and respond to cybersecurity threats and incidents. In this regard, Section 15A of the current Computer Misuse and Cybersecurity Act (CMCA) provides some existing powers related to cybersecurity. These will be enhanced in the Cybersecurity Bill, and specific powers will be vested in CSA officers to allow them to deal with fast-moving cybersecurity threats and incidents. The bill also seeks to establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information. It also seeks to introduce a "lighter-touch" licensing framework for the regulation of selected cybersecurity service providers.
For example, licensing the provision of "penetration testing" - where specialists check to see if an IT network has any vulnerabilities by trying to "hack" into the network - and managed security operations centre (SOC) services.
The proposed bill will focus on cybersecurity while crimes committed using a computer, such as hacking, will continue to be addressed by the CMCA.
The bill is part of Singapore's Cybersecurity Strategy announced by Prime Minister Lee Hsien Loong last year. Singapore's move to table a comprehensive bill mirrors similar efforts being undertaken by several countries around the world which are seeking to enact an omnibus cybersecurity law, such as Germany.
CSA chief executive David Koh noted that "currently the legislation or the regulations are disparate". As a result, he added, there are challenges, for example, in the area of information sharing.
"This new bill will put everything together and seeks to provide us the capability to facilitate action, both pre-emptive action and reactive action. The focus of the bill is on CII, because these by definition are critical and provide essential services to the country. So it is everyone's interest to protect them," Mr Koh said.
The CSA boss added that a need was also felt to facilitate CSA officers so that they would have the ability to respond to threats and facilitate information sharing "because . . . there are other rules which perhaps can be interpreted to prevent information sharing such as privacy rules, banking secrecy rules and others.
"The bill is designed to allow information sharing within certain parameters," he added.
Mr Koh will hold the position of the Commissioner of Cybersecurity. The Minister-in-charge of Cybersecurity could also appoint a Deputy Commissioner as well as a number of Assistant Commissioners.
Talking to The Business Times, Jack Ow, intellectual property & technology partner, RHTLaw Taylor Wessing, noted: "The draft bill is intended to be a broad framework for cybersecurity requirements to be consistently applied across sectors, but yet flexible enough to take into account the unique circumstances of each sector.
"In this regard, the requirements in the draft bill, especially the duties on cybersecurity imposed on owners of CII, can be viewed as baseline requirements applicable to all industries, as long as you are considered a 'CII'."
Daryl Pereira, head of cybersecurity at KPMG in Singapore, added that the proposed bill, specifically the framework for the protection of CII, "seeks to level the playing field and raise the maturity and preparedness of all sectors in Singapore to a common baseline".
"This Cybersecurity Bill will help to form a strong foundation for Singapore to transform itself into a digital economy, powered by innovation and enabled by cybersecurity readiness," Mr Pereira added.
Steve Lam, advisory partner, Ernst & Young Advisory, added that the bill served to provide a framework for the protection of Singapore's essential services against cyber-attacks. "If passed in its current state, (the bill) clarifies and sets in law the accountability of the board, senior management and participants in protecting Singapore's national interests across both the public and private sectors."