Singapore’s Parliament has recently passed amendments to the Cybersecurity Act 2018, expanding its scope to encompass a broader array of entities, enhancing reporting requirements, and granting the Cybersecurity Agency of Singapore (CSA) authority to levy substantial civil penalties.
Key Amendments Overview
The Cybersecurity (Amendment) Bill, which updates the existing Cybersecurity Act 2018, was approved on May 7, 2024, following extensive stakeholder consultations conducted by the CSA over a two-year period.
Under the revised legislation:
- Expanded Regulatory Coverage: The amendments significantly broaden the Act’s coverage beyond Critical Information Infrastructure (CII) to include a wider spectrum of entities. This expansion aims to ensure robust cybersecurity practices across various sectors.
- Enhanced Reporting Obligations: Entities covered under the Act, including new categories like Foundational Digital Infrastructure service providers (such as cloud computing and data centre facilities), are subject to heightened reporting obligations. This includes reporting incidents and maintaining standards of performance and codes of practice.
- Revised Penalty Regime: The updated legislation introduces a revised penalty framework. Instead of criminal penalties, the CSA now has the authority to impose civil penalties for non-compliance with regulatory obligations. The maximum penalties can reach up to 10% of the entity’s annual turnover in Singapore or SGD 500,000, whichever is higher. This aligns with penalties set forth in the Personal Data Protection Act 2012.
Detailed Changes and Updates
- Foundational Digital Infrastructure Providers: Newly categorized under the Act, these service providers must adhere to specific regulatory standards and codes of practice tailored to their operations in cloud computing and data centre services.
- Third-Party-Owned CII: Providers of essential services utilizing third-party-owned Critical Information Infrastructure (CII) are now explicitly regulated, reflecting a nuanced approach to managing cybersecurity risks in these arrangements.
- Penalty Structure: The amendments introduce higher penalties compared to the original Act. For instance, fines can now amount to SGD 200,000 or 10% of the entity’s annual turnover for violations related to Foundational Digital Infrastructure, an increase from the previous maximum of SGD 100,000.
- Civil Penalties Framework: Section 37A of the Act empowers the CSA to pursue civil penalties for breaches under designated Act sections, subject to approval by the Public Prosecutor. Factors considered include the severity of risks posed by non-compliance and the specific circumstances of each case.
These legislative changes underscore Singapore’s proactive approach to cybersecurity governance, aiming to fortify digital resilience across sectors and mitigate emerging threats posed by evolving technologies.
Source: globalcompliancenews.com
