PROPOSED amendments to the Cybersecurity Act were tabled in Parliament on Wednesday (Apr 3), with the changes set to expand the Cyber Security Agency of Singapore’s (CSA) oversight of the organisations regulated by the law.

The amendments will also regulate more organisations that are deemed to be attractive targets of malicious actors.

In a press release, CSA said that the amendments will update existing provisions relating to the cybersecurity of critical information infrastructure (CII).

To improve the CSA’s situational awareness over CII, the Cybersecurity Act will be amended to require CII owners to report incidents targeting systems that are peripheral to CII, including those of their suppliers, to the agency.

Previously, mandatory incident reporting only applied to CII, as well as systems that interconnect with or communicate with CII.

Such a law may have helped during an attack on Texas-based software company SolarWinds. In this case, CII owners would have been required to report on their exposure to the company’s software ahead of time and giving the authorities time to respond.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

In 2020, the company was hacked, and its network management software was compromised. The software was then hijacked to slip malicious code into thousands of organisations’ devices.

Furthermore, the Act will be updated to allow CII owners to use cloud infrastructure if the benefits outweigh the risks. Still, the law will require at least one of the physical computing resources deployed to creating the virtual system to be based locally.

Cloud service providers and IT vendors will also be able to provide CII owners with such computing infrastructure, without themselves being regarded as CII owners.

CSA said that the amendments will also regulate the cybersecurity of systems of temporary cybersecurity concern (STCC).

Such systems include those used to support high-profile events in Singapore, such as the World Economic Forum, or temporary systems used to track the distribution of vaccines during a pandemic. Such systems are not currently designated as CII.

With the amendments, owners of STCC will be obliged to furnish cybersecurity-related information upon request and report cybersecurity incidents, among other requirements.

In addition, certain targets for cyberattacks due to the sensitive data they hold may be designated as entities of special cybersecurity interest (ESCI).

In its closing note for the public consultation on the amendments published on Tuesday, CSA said that it will not publish a full list of designated ESCI for security reasons.

“As ESCIs could come from a range of sectors, it is important for the proposed draft provisions to be drafted in a manner that would allow CSA to work with these entities on their cybersecurity in our evolving threat landscape,” the agency said.

Meanwhile, foundational digital infrastructure (FDI) service providers that provide cloud services and data-centre facility services to companies in Singapore will also be subjected to certain obligations under the amendments to the Act.

Similar to STCCs, both ESCIs and FDI providers will also be obliged to furnish cybersecurity-related information and report cybersecurity incidents, among other obligations.

However, unlike CII owners, ESCI will not be required to submit audit reports and risk assessments to CSA, nor will they be required to participate in national cybersecurity exercises. CSA will also take reference from international best practices and work with sectoral regulators to harmonise its regulations on FDI providers.

If organisations breach the Act, the amendments will also allow the CSA’s commissioner to recommend civil penalties in lieu of criminal fines for all offences committed by regulated entities.

In doing so, CSA will review the facts of the case and consider civil action instead of criminal action if the potential impact of non-compliance is deemed not likely to be high.

The proposed amendments will come up for debate during the second reading at a future parliament sitting, before Members of Parliament vote on it.