The Cyber Security Agency of Singapore (CSA) is looking to bring in new licensing requirements for cybersecurity service providers.
CSA is seeking industry feedback on the proposed licence conditions and draft subsidiary legislation under the licensing framework for cybersecurity service providers, authorities said. The consultation will commence on 20 September 2021 for a period of four weeks.
Licensing framework
The Cybersecurity Act was introduced to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Its key objectives are to provide a framework for the regulation of Critical Information Infrastructure; provide CSA with powers to manage and respond to cybersecurity threats and incidents; establish a framework for the sharing of cybersecurity information and establish a licensing framework for cybersecurity service providers.
The licensing framework was deferred to allow for further study and consultation to enhance its practicability for cybersecurity service providers.
The framework also aims to address three main considerations which involves providing greater assurance of security and safety to consumers. Further, it aims to improve the standards and standing of cybersecurity service providers and address the information asymmetry between consumers and the cybersecurity service providers.
Ransomware attacks seem to be on the rise in Singapore. In August, a ransomware attack affected the personal data and clinical information of nearly 73,500 patients of Eye & Retina Surgeons, a private eye clinic. However, the clinic said it has not paid any ransom, and pointed out that no credit card or bank account information was accessed or compromised.
The Ministry of Health (MOH) said that the clinic’s compromised IT systems are not connected to the ministry’s IT systems, such as the National Electronic Health Record, and there have been no similar cyber attacks on MOH’s IT systems.
Singapore authorities are looking to counter precisely these kind of threats. The framework will give CSA the means to take punitive measures against errant cybersecurity service providers, including the issuance of financial penalties, or notices of censure.
Who will be given the License?
For starters, CSA will license only two types of service providers, namely those providing penetration testing and managed security operations centre monitoring services. These two services are prioritised because service providers performing such services can have significant access into their clients’ computer systems and sensitive information.
In the event that the service is abused, the client’s operations could be disrupted. In addition, these services are already widely available and adopted in the market, and hence have the potential to cause significant impact on the overall cybersecurity landscape.
All providers of the licensable cybersecurity services, regardless of whether they are companies or individuals directly engaged for such services or third-party vendors that support these companies, will need to be licensed. The licensing framework is expected to be implemented by early 2022.
Key Proposals
Professional conduct of licensees: To provide a baseline level of protection for consumers of cybersecurity services, CSA is proposing for licensees to comply with requirements such as maintaining confidentiality about their clients’ information; not making any false representation in advertising their services or in the provision of its service; exercising due care and skill; and acting with honesty and integrity.
Provision of information: To facilitate CSA’s investigations into potential breaches by licensees or matters relating to the licensees’ continued eligibility to be a holder of the licence, licensed cybersecurity service providers are to provide information concerning or relating to its cybersecurity services upon request and within the timeframes specified by the Licensing Officer.
Notification requirements: Under the Cybersecurity Act, cybersecurity service providers are required to ensure that their key executive officers are fit and proper persons when applying for a licence. Licensees are also required to keep records on the cybersecurity services that have been provided to clients for a duration of at least three years.
To ensure that licensees remain fit and proper, CSA is proposing for licensees to notify the Licensing Officer within 14 days, on changes to information such as those relating to the honesty, integrity and financial soundness of the business and its key executive officers, which may affect the licensee’s continued eligibility to be licensed.
To ensure that the licensees’ key executive officers are fit and proper, licensees are to notify the Licensing Officer at least 30 days before the appointment of new key executive officer(s).