News reaction: NCC Group responds to the Cyber Security Agency of Singapore’s consultation on amendments to the Cybersecurity Act

This week, Cyber Security Agency of Singapore concluded its consultation on proposed amendments to the Cybersecurity Act.  Here, Regional Managing Director, Charles Spencer, comments on NCC Group’s response to the public consultation.

NCC Group has responded to the consultation the Cyber Security Agency (CSA) of Singapore is undertaking on proposals to amend the Cybersecurity Act that came into force in August 2018.  

Singapore commenced the review of the Act in 2021, to ensure it keeps pace with developments in technology and industry practices, notably the use of third party and cloud providers; ensures the security of important systems beyond critical information infrastructure (CII); and provides greater situational awareness of vulnerabilities, threats, and incidents.

In the consultation, which closed last week, the CSA outlined the following proposed amendments to the Act:

• Owners of CII would have responsibility for, and additional duties in relation to the cyber security of ‘non-provider-owned’ infrastructure e.g. where they use third party computing vendors. They would need to obtain legally binding commitments from the vendor to comply with all requirements.
  
  
• CII providers’ incident reporting requirements would be expanded to cover more types of incidents.
  
  
• Regulatory oversight and cyber security duties would be expanded to cover providers of foundational digital infrastructure, entities of special cybersecurity interest, and systems of temporary cybersecurity concern (STCC). The providers in scope would be designated in each of these categories, and relevant compliance standards would be co-created and developed in line with existing domestic and international standards. Additional details, for example in relation to incident reporting requirements or the level of financial penalties for non-compliance would be confirmed in operational guidance and future draft legislation. 

Here, Regional Managing Director, Charles Spencer, comments on the key points from NCC Group’s response to the public consultation:

“We are pleased to have had the opportunity to contribute to the CSA’s public consultation. We believe Singapore has the opportunity to lead the world in digital markets and the connected economy. We commend the CSA for demonstrating foresight and adaptability to the evolving threats, technologies, and business models of the 21^st century, enabling its continued digital transformation through the Smart Nation initiative.

“We believe it is right to hold organisations’ boardrooms accountable for cyber risk management, and strongly encourage regulators globally to develop risk-based and principles-based frameworks that underpin all mandated cyber security requirements to avoid fragmented and overlapping requirements.”

• While we support the role that progressive legislation and a central and adaptable regulator can play in delivering a cyber-secure digital-first Singapore, we believe the CSA should reconsider its proposals as follows, to allow for continued investment in growth and innovation while safeguarding cyber resilience:
  
  
• Create a high-level framework that underpins the CSA’s general approach to setting cyber security requirements for specific sectors and organisations to avoid the risk of creating a compliance burden that could impact growth, innovation and digital transformation;
  
  
• Emphasise the existing contractual and fiduciary relationships between computing and cloud infrastructure providers and their customers in the form of shared responsibility models as a good starting point for any additional regulation;
  
  
• Highlight the importance of trust across the Singaporean ecosystem and measures that will further accelerate the maturity of the cyber security industry in Singapore;
  
  
• Include additional measures such as the creation of a new Bureau of National Cyber Statistics to help build a full picture of the cyber threat landscape; and advocate for more initiatives like the GovTech Singapore’s Vulnerability Rewards Programme (VPR) that promote true collaboration with the cyber security industry.

What’s next?

Through our growing presence in Singapore, NCC Group stands ready to remain a valued part of the maturing cyber security industry in the country, helping to deliver a secure, reliable, and resilient digital Singapore. We look forward to seeing how the CSA  reflects our  input to inform an updated Cybersecurity Act.