Proposed changes to cybersecurity law may improve oversight, scope: expert

Digitisation and reliance on outsourced computing vendors are among factors influencing the changes.

The proposed amendments to the 2018 Cyber Security Act could strengthen the government’s regulatory oversight and expand its scope to cover more entities, according to Norton Rose Fulbright.

The law firm highlighted two key proposed changes in the recently drafted bill, starting with the amendments that aim to strengthen the regulatory approach to critical information infrastructure.

It expects the enhanced regulatory oversight of the Cyber Security Agency of Singapore (CSA) to result in increased scrutiny over cybersecurity supply chains, “with the effect of more stringent requirements being imposed downstream by such entities regulated by the CSA.”

The second key amendment points to a greater scope of the law to include other entities beyond the owners of critical information infrastructure.

“This is a recognition of the fact that due to increased digitisation, there are other components in Singapore’s cybersecurity landscape apart from essential services where disruptions caused by cybersecurity incidents could significantly impact or degrade life in Singapore,” the report said. 

It noted that the proposal has stricter cybersecurity standards in place that apply to a wider range of regulated entities, while the reporting incident obligations will be extended beyond the systems of critical information infrastructure.

Strengthening of regulatory powers comes with the shift towards virtualisation and use of outsourced vendors for computing needs since the enactment of the Cyber Security Act, inviting the need to facilitate the use of these vendors by providers of essential services.

“Providers of essential services will be permitted to use Computing Vendors in the delivery of an essential service,” the report said. “However, responsibility for the cybersecurity of the essential service will remain with its providers.

New classes of entities included in the draft bill were foundational digital infrastructure not falling within the designations of critical information infrastructure; entities of special cybersecurity interest; and owners of systems of temporary cybersecurity concern.