A cybersecurity bill was released by Cyber Security Agency (CSA) in Singapore on July 10, 2017 for public consultation that will end on Aug 3. This step was taken to make the owners of critical information infrastructure (CII) responsible to report security breaches in 11 key essential sectors that include telecommunication, transport, healthcare, banking and energy. It would also require the vendors dealing with highly sensitive services to obtain a license for practicing. The bill was drafted following the announcement of high level cybersecurity strategy by the Critical Information Infrastructure (CII) in October last year. The CSA spent almost two years to prepare the draft.
The bill, that aims to plug security gaps in CII, attempts to clarify the obligations of public and private sector organizations to share information if an investigation of a cybersecurity incident or threat is undertaken by CSA. It also gives the CSA the power to supersede any banking or privacy rules that forbids sharing of confidential information. The proactive measures that should be mandated by the CII comprises the following steps
- Notify the commissioner of the CII suffering a cybersecurity attack
- Conduct regular system audits by a commissioner-approved third-party
- Conduct regular risk assessments of the CII
- Comply with directions issued by the commissioner, including providing access to premises, computers or information during investigations
As per the draft, Chief of CSA will take over the post of commissioner of cybersecurity. The chief will be responsible to investigate threats and incidents, and ensure that no disruption of essential services occurs during a cyberattack. The bill proposes a fine of $1.00.000 or a jail term of 10 years, in case of non-compliance.
The bill also requires the vendors involved in investigative cybersecurity services or non-investigative cybersecurity services would be required to have a valid license to continue practicing. Anyone found in violation of the rule will attract a fine of $50,000, or a jail term not exceeding two years, or both.