On May 7, 2024, Singapore’s lawmakers passed a Bill aimed at expanding the oversight of the Cyber Security Agency of Singapore (CSA) to better secure the nation’s critical information infrastructure (CII) against cyber threats. This is the first update to the Cybersecurity Act since its inception in 2018, reflecting the need to adapt to evolving technologies and the increased risks associated with digitalization.

The amended legislation broadens the definition of “computers” to include virtual systems and cloud infrastructures that are becoming more prevalent. It mandates CII operators to report any cyber security incidents affecting their services, including attacks on their supply chains. The new law will also introduce additional categories of entities whose cyber defenses will undergo audits, such as autonomous universities that may hold sensitive data.

Senior Minister of State for Communications and Information, Janil Puthucheary, emphasized the importance of these changes in light of increasing digital threats, citing examples from the Covid-19 pandemic where temporary systems set up for vaccine distribution became targets for cyber attacks. He stated that the original Act did not account for the complexities introduced by cloud services and outsourced digital solutions.

The Bill garnered unanimous support in Parliament, although concerns were raised about how the CSA will determine entities of cybersecurity interest and manage the expanded reporting requirements. Janil assured that the CSA does not intend to regulate third-party vendors directly; rather, essential service providers must ensure their systems meet the mandated cybersecurity standards.

The legislation also establishes two new categories of regulated entities: those of special cybersecurity interest and foundational digital infrastructure. While the latter will face “light touch” regulations, the former will be closely monitored due to the sensitivity of the data they manage.

Janil noted that the government will also have the authority to designate “systems of temporary cybersecurity concern,” which are critical to Singapore and at high risk of cyber attacks, particularly for events of national significance. Failure to comply with the new regulations could result in criminal and civil penalties for CII owners.

As Singapore continues to digitalize, with a reported 94% technology adoption rate among firms and over 90% of residents communicating online, the enhanced cybersecurity measures aim to safeguard against an array of cyber risks that accompany increased online engagement.