Background
The Cybersecurity Agency of Singapore (“the Agency”), which is the government entity charged with protecting Singapore’s Cyberspace environment, has put in place a licensing framework for Cybersecurity Service Providers (“CSPs”) which came into effect on 11 April 2022.
The licensing framework has been established with the intention of achieving the following goals:
- Providing greater assurance of security and safety to consumers;
- Improving the standards and standing of CSPs; and
- Addressing the information asymmetry between consumers and CSPs.
Under the licensing framework, Part 5 of the Cybersecurity Act 2018 (“the Act”) and the Second Schedule to the Act came into force on 11 April 2022.
In addition, the Cybersecurity (Cybersecurity Service Providers) Regulations 2022 and the Cybersecurity (Composition of Offences) Regulations 2022 also came into force on the same day.
Two types of CSPs fall within the ambit of the licensing framework. They are namely:
- those providing penetration testing; and
- those providing managed security operations centre monitoring services
where the activities stated in (a) and (b) above have been termed licensable cybersecurity services.
The licensing framework governs the CSPs which provide the 2 licensable cybersecurity services above, as they usually possess significant access to their clients’ computer systems which may contain critical or sensitive information.
The Agency has established the Cybersecurity Services Regulation Office to administer the licensing framework and facilitate liaisons with the industry and wider public regarding matters related to the licensing framework.
The Licensing Framework
SPs which have not been granted a CSP license would be unable to provide licensable cybersecurity services until the attainment of such a licence.
Under the framework, CSPs which currently provide either or both of the licensable cybersecurity services which have submitted their license application prior to 11 October 2022 may continue to provide such services pending the outcome of their application.
CSPs who provide any licensable cybersecurity services to another person or entity without a licence after 11 October 2022 shall be guilty of an offence and liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both.
The licence is valid for a period of 2 years and the licence fees for CSPs which are either individuals or businesses are $500 or $1000 respectively. A one-time 50% waiver of the licence fees will be granted for all licence applications that are lodged within the first 12 months of the licensing framework coming into force, i.e. before 11 Apr 2023.
Once a CSP has been granted a license, it has 2 key requirements which must be satisfied. They are:
- that the officers of the license-holding CSP are “fit and proper”.
In determining if key officers (in the case of a CSP that is a corporate entity) or if an individual CSP is “fit and proper”, the licensing officer who reviews the application and grants the license can consider a wide variety of factors.
- Records must be kept by the licensed CSP for every occasion on which it provides the licensable service(s). Such records must be maintained for at least 3 years.
The Act provides for the specific information that must be contained in such records. Examples of such information are the date of service(s) provided, details on type(s) of service(s) provided, identity of the service(s) provider(s) etc.
By limiting the licensing framework to just the 2 licensable cybersecurity services stated above, the Agency has adopted a “light touch” approach to regulation. Based on industry response and how the Cybersecurity landscape may evolve, this regulatory framework may be amended or enhanced, with possible changes to licensing application requirements, conditions imposed to licensed CSPs among other things.