April 27, 2022

Enhancements to Singapore's Cybersecurity Governance

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

On 4 March 2022, the Cyber Security Agency of Singapore (CSA) announced two initiatives intended to address the impact of increased cybersecurity vulnerabilities and the rise of new sectors of the digital economy.1

The first initiative is a wholesale review of Singapore's primary cybersecurity legislation, the Cybersecurity Act 2018 (Cybersecurity Act), with the intention to potentially expand its scope in view of the country's increased reliance on digital infrastructure and services and growing cybersecurity concerns.

The second initiative is an update to the Cybersecurity Code of Practice for the 11 critical information infrastructure (CII) sectors designated under the Cybersecurity Act2 (Code). The Code, a set of mandatory cyber hygiene practices that CII sectors have to follow, is being updated to enable CII sector companies to better mitigate new and heightened cybersecurity risks which have emerged in recent years, such as the increased and more high-profile use of ransomware.


Taken together, these proposed changes (summarized in further detail below) will materially increase the scope and level of cybersecurity regulation in Singapore, including in areas of the digital economy which have to date remained outside the jurisdiction of the Cybersecurity Act. While the updates to the Code are expected to be issued in Q2 of 2022, the revisions to the Cybersecurity Act will be discussed with stakeholders before being submitted to public consultation in early 2023.

A. Proposed expansion of the Cybersecurity Act

Summary of the proposed changes

The key proposed changes to the Cybersecurity Act announced by the CSA are as follows:

  • To date (and consistent with cybersecurity laws in many jurisdictions), the Cybersecurity Act has sought to primarily regulate companies operating in the CII sectors. The CSA is considering whether to apply a similar level of regulation to newer and increasingly prevalent forms of digital infrastructure, such as cloud-based services which support essential services and key digital services (e.g. apps) which are needed to sustain the digital economy.
  • Factors that the CSA is considering using to determine whether a cloud or digital service or application falls within this category include:
    • The reach and scale of such digital infrastructure and services, for example, its size;
    • Whether alternatives are easily available - where they are available, the CSA will consider the costs of switching to these alternatives if the infrastructure or service is hit by a cyberattack. For example, an online search engine would likely be considered a digital service with a low switching cost and may therefore not fall under the increased scope of the revised Cybersecurity Act.

If passed, the changes would mean that owners of cloud and digital services that fall within the increased scope of the revised Cybersecurity Act would potentially be subject to the level of regulation currently applying to CIIs. This would result in these services being obliged to provide information on such key digital services to the Singapore Commissioner for Cybersecurity such as information on the design, configuration and security of such cloud and digital services and applications, notify the Commissioner for Cybersecurity in the event of cybersecurity incidents and conduct regular audits and cybersecurity risk assessments.

Currently, failure to comply with the Cybersecurity Act is an offence potentially resulting in a fine and/or imprisonment. The CSA has not yet indicated whether these penalties will be amended as part of the review of the Cybersecurity Act.  Accordingly, assuming the current legal enforcement measures are maintained, an owner of cloud and/or digital services which fall within the purview of the revised Cybersecurity Act may potentially face such penalties in the event of non-compliance.

B. Proposed enhancement of the Code

Summary of the proposed changes

The proposed changes to the Code, which the CSA has stated were prompted by concerns that foundational cyber hygiene practices may no longer be sufficient for CII owners to defend against threats such as ransomware, have been discussed with CII stakeholders. Examples of the enhancements provided by the CSA include allowing CSA or CII sector specific regulators1  to add new requirements for specific sectors such as the telecommunications sector, as and when required, to tackle emerging cybersecurity risks.

C. Conclusion

The initiatives described in this client alert highlight the Singapore government's emphasis on building a strong cybersecurity ecosystem to address both present and future cyber threats. As the world and especially the Singapore economy becomes more digitized and, hence, reliance on the digital world continues to grow, it is important that cloud and digital service owners keep abreast of the changing legal requirements and maintain adequate cybersecurity measures to ensure compliance.


1 The CSA's press release can be accessed at <>.

2 Currently, 11 sectors are designated as CII sectors under the Cybersecurity Act on the basis they provide essential services, namely sectors relating to energy, info-communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, functioning of government and media.

3 Apart from the CSA, specific CII sectors may also be subject to regulatory oversight by sector specific regulators which may impose more stringent cybersecurity regulations to cater to the specific cybersecurity needs of such CII sector. For example, the telecommunications sector is also specifically regulated by the Infocomm Media Development Authority (IMDA) and hence a CII owner within the telecommunications sector will have to comply with both the CSA and IMDA's regulations.


ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

New York City's Wage Transparency Law to Take Effect November 1, 2022

By Christina S. Dumitrescu McDermott Will & Emery May 06 , 2022

On January 15, 2022, the New York City Council enacted Local Law 32 of 2022 (Wage Transparency Law or Law) to amend the New York City Human Rights Law (NYCHRL) to require that most employers include compensation data in their job advertisements. The Law was supposed to take effect on May 15, 2022, however, it faced criticism over a number of ambiguities, including undefined penalties. In response, on April 28, 2022, the New York City Council passed an amendment to the Wage Transparency Law. Among the biggest changes is that employers now have until November 1, 2022—more than six months—to ensure compliance with the Law’s requirements. If Mayor Eric Adams signs the Law, which he is expected to do, New York City will become the second jurisdiction in the country (the first being Colorado) to require employers to include minimum and maximum potential salary amounts for open positions in job postings.

NAIC Continues to Refine Multiyear Work Plan to Expand Scrutiny of Holding Company Act Filings

By Andrea T. Best McDermott Will & Emery May 05 , 2022

In our report published on April 26, 2022, we discussed the New York Department of Financial Services’ (NYDFS) Circular Letter No. 5 in which it reminded the industry that acquiring less than 10% of an insurer’s voting securities does not necessarily mean that the acquirer (1) is not a “controller” and (2) does not have to submit a Form A application to the insurer’s home state or domestic regulator seeking approval for the change of control. This topic is one of several related matters that various committees, task forces and working groups of the National Association of Insurance Commissioners (NAIC) are studying and will continue to study over a multiyear period (the Project).

European Union, United Kingdom Propose New Sanctions Against Russia, Including Ban on Certain Services

By Raminta Dereskeviciute McDermott Will & Emery May 04 , 2022

As Russia continues to escalate its military operations in Ukraine, the European Union (EU) and the United Kingdom (UK) unveiled details of new sanctions against Russia. This alert summarises the proposed restrictions.

More From Cybersecurity

U.S. Treasury Releases 2022 Strategy for Combatting Terrorist and Other Illicit Financing

By Nikki A. Hatza Ballard Spahr May 18 , 2022

On May 13, 2022, the U.S. Treasury (“Treasury”) released its 2022 Strategy for Combatting Terrorist and Other Illicit Financing (“2022 Strategy”). The proposed 2022 Strategy, prepared pursuant to Sections 261 and 262 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), outlines four goals to address the key risks identified by the 2022 National Money Laundering, Terrorist Financing, and Proliferation Financing Risk Assessments:

Modernization of Manufacturers: Safety and Cybersecurity Issues

By Jason C. Gavejian Jackson Lewis P.C. May 11 , 2022

Like many other industries, manufacturing has been hit hard with labor shortages. As of April 2022, U.S. factory activity reportedly is at its slowest pace in more than 18 months. Consequently, many factories seek more agility from artificial intelligence and other automated processes to better manage disruptions and uncertainty. With these modernizations comes the threat of potential safety and health hazards and cyber threats.

Connecticut Steps Up to the Consumer Privacy Law Plate

By Amy C. Pimentel McDermott Will & Emery May 02 , 2022

On April 28, 2022, the Connecticut House of Representatives joined the Connecticut Senate in passing the Connecticut Data Privacy Act (CTDPA),

Featured Stories