Singapore Cybersecurity Licensing
Although the Cybersecurity Act was passed in 2018 to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore, the development of the licensing framework for cybersecurity service providers (CSPs) found in Part 5 of the Cybersecurity Act was deferred to allow further study and consultation to enhance the practicality for CPS.
A 2021 mid-term report by the Cybersecurity Agency of Singapore (CSA) revealed that cyber threats had risen in Singapore. For example, the number of “zombie” devices that are infected with malware and easily controlled by hackers has tripled in numbers. In 2020, an average of 6,600 malware-laced devices, known as botnet drones, were observed in Singapore on daily basis—a significant increase from 2,300 in 2019.
The licensing framework aims to give greater assurance of safety to customers, raise the standards of CSPs, and address the information gap between CSPs and consumers of cybersecurity services. Singapore would be one of the first countries in the world to introduce licensing for CSPs.
CSPs, which include companies or individuals directly engaged in such services or third-party vendors supporting these companies, must now be licensed. The licensing framework is expected to be implemented in April 2022 and all CSPs will be given six months from the start of the framework to apply for the license. Failure to obtain a license and offer a licensable service is a criminal offense; CSPs will be fined up to S$50,000 and/or imprisonment for a term of up to two years.
For now, the licensing regime applies to only two services: penetration testing and managed security operations. These two services are prioritized because the CSPs performing these services have significant access to their client’s sensitive information, and if abused, will result in major disruption of the client’s operations. In addition, these two listed services are already widely available and adopted in the market and thus could pose a significant risk to the overall cybersecurity landscape in Singapore.
The license is valid for 2 years. The cost is S$1,000 for companies and S$500 for individuals such as freelancers or sole proprietor-owned businesses controlled by individuals. Licenses can be revoked or suspended, and errant companies or individuals can be fined up to S$10,000, not exceeding S$50,000, for every failure to comply.
For more information, please contact Mishell Arwan.