SINGAPORE: Owners of critical information infrastructure (CII), such as those providing water, electricity and banking services, will be required to report more types of cybersecurity incidents, including those that happen in their supply chains, under a new proposed law. 

This way, the Cyber Security Agency of Singapore (CSA) said it can be more aware of the cybersecurity threats that could potentially cause disruptions to Singapore’s essential services and work with owners more proactively to secure them.

Tabled in parliament on Wednesday (Apr 3), the Cybersecurity (Amendment) Bill will update existing provisions relating to the cybersecurity of CII as well as expand CSA’s oversight to cover Systems of Temporary Cybersecurity Concern or STCCs. 

This refers to computer systems that are critical to Singapore and are at a high risk of cyberattacks because of certain events or situations.

The Bill seeks to amend the Cybersecurity Act 2018, which establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore.

The objective of the Bill, which would amend the Act for the first time, is to ensure that the law keeps pace with developments in the cyber threat landscape, as well as Singapore’s evolving technological operations, said CSA in a media release on Wednesday.

A key aspect of the Bill is also to ensure that CII owners remain responsible for the cybersecurity and cyber resilience of the systems, while embracing new technological and business models such as cloud computing, said CSA.

The intention to amend the law was first laid out by Minister for Communications and Information Josephine Teo last month when she spoke in parliament about her ministry’s spending plan. 

She said the law needed to change to reflect the increasing importance of ensuring the cybersecurity of the digital infrastructure and services that power Singapore’s digital economy, as well as allow citizens to meet their day-to-day needs.

WHAT THE BILL COVERS

At present, CII owners are only required to report cybersecurity incidents concerning the critical infrastructure, and computer systems under their control that are interconnected or communicate with the infrastructure.

If the new law is passed, owners will also have to report incidents targeting systems that are peripheral to CII.