The Cyber Security Agency of Singapore (CSA) has proposed amendments to the Cybersecurity Act 2018, mandating more disclosures and changes set to expand list of regulated organisations that are deemed to be attractive targets of malicious actors.
CSA said that the amendments will update existing provisions relating to the cybersecurity of critical information infrastructure (CII).
The new amendment requires CII owners of essential services, like water, electricity, banking services and more to report incidents targeting systems, including those that happen in their supply chains.
Earlier, the bill has mandated incident reporting only to CII and systems that interconnect with or communicate with CII.
CSA said this new update will help them have better awareness of the cybersecurity threats that could potentially cause disruptions to Singapore’s essential services and work with owners more proactively to secure them.
The amendments tabled in parliament on April 3, also aims to regulate the cybersecurity of systems of temporary cybersecurity concern (STCC).
These are systems currently not designated as CII but are at a high risk of cyberattacks because of certain events or situations, such as the vaccine distribution systems deployed by healthcare organisations during the COVID-19 pandemic.
The proposal directs STCC owners to report incidents and furnish cybersecurity information on request.
In addition, CSA will create two new classes of regulated entities: Entities of Special Cybersecurity Interest (ESCI) and Foundational Digital Infrastructure (FDI).
The Bill will allow CSA to designate and regulate ESCI for cybersecurity if they hold sensitive information or perform a function of national interest, such that their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety, or public order of Singapore.
The obligations imposed on these entities will not be at the same levels as that for CIIs, the agency said.
The amendments also require companies providing cloud services and data centres to be responsible for the cybersecurity of their digital infrastructure.
CSA added that it had consulted extensively on the Bill, through stakeholder and public consultations. The agency said it will continue to consult closely with stakeholders to operationalise the Bill if passed.
