April 27, 2022

Enhancements to Singapore's Cybersecurity Governance

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

On 4 March 2022, the Cyber Security Agency of Singapore (CSA) announced two initiatives intended to address the impact of increased cybersecurity vulnerabilities and the rise of new sectors of the digital economy.1

The first initiative is a wholesale review of Singapore's primary cybersecurity legislation, the Cybersecurity Act 2018 (Cybersecurity Act), with the intention to potentially expand its scope in view of the country's increased reliance on digital infrastructure and services and growing cybersecurity concerns.

The second initiative is an update to the Cybersecurity Code of Practice for the 11 critical information infrastructure (CII) sectors designated under the Cybersecurity Act2 (Code). The Code, a set of mandatory cyber hygiene practices that CII sectors have to follow, is being updated to enable CII sector companies to better mitigate new and heightened cybersecurity risks which have emerged in recent years, such as the increased and more high-profile use of ransomware.


Taken together, these proposed changes (summarized in further detail below) will materially increase the scope and level of cybersecurity regulation in Singapore, including in areas of the digital economy which have to date remained outside the jurisdiction of the Cybersecurity Act. While the updates to the Code are expected to be issued in Q2 of 2022, the revisions to the Cybersecurity Act will be discussed with stakeholders before being submitted to public consultation in early 2023.

A. Proposed expansion of the Cybersecurity Act

Summary of the proposed changes

The key proposed changes to the Cybersecurity Act announced by the CSA are as follows:

  • To date (and consistent with cybersecurity laws in many jurisdictions), the Cybersecurity Act has sought to primarily regulate companies operating in the CII sectors. The CSA is considering whether to apply a similar level of regulation to newer and increasingly prevalent forms of digital infrastructure, such as cloud-based services which support essential services and key digital services (e.g. apps) which are needed to sustain the digital economy.
  • Factors that the CSA is considering using to determine whether a cloud or digital service or application falls within this category include:
    • The reach and scale of such digital infrastructure and services, for example, its size;
    • Whether alternatives are easily available - where they are available, the CSA will consider the costs of switching to these alternatives if the infrastructure or service is hit by a cyberattack. For example, an online search engine would likely be considered a digital service with a low switching cost and may therefore not fall under the increased scope of the revised Cybersecurity Act.

If passed, the changes would mean that owners of cloud and digital services that fall within the increased scope of the revised Cybersecurity Act would potentially be subject to the level of regulation currently applying to CIIs. This would result in these services being obliged to provide information on such key digital services to the Singapore Commissioner for Cybersecurity such as information on the design, configuration and security of such cloud and digital services and applications, notify the Commissioner for Cybersecurity in the event of cybersecurity incidents and conduct regular audits and cybersecurity risk assessments.

Currently, failure to comply with the Cybersecurity Act is an offence potentially resulting in a fine and/or imprisonment. The CSA has not yet indicated whether these penalties will be amended as part of the review of the Cybersecurity Act.  Accordingly, assuming the current legal enforcement measures are maintained, an owner of cloud and/or digital services which fall within the purview of the revised Cybersecurity Act may potentially face such penalties in the event of non-compliance.

B. Proposed enhancement of the Code

Summary of the proposed changes

The proposed changes to the Code, which the CSA has stated were prompted by concerns that foundational cyber hygiene practices may no longer be sufficient for CII owners to defend against threats such as ransomware, have been discussed with CII stakeholders. Examples of the enhancements provided by the CSA include allowing CSA or CII sector specific regulators1  to add new requirements for specific sectors such as the telecommunications sector, as and when required, to tackle emerging cybersecurity risks.

C. Conclusion

The initiatives described in this client alert highlight the Singapore government's emphasis on building a strong cybersecurity ecosystem to address both present and future cyber threats. As the world and especially the Singapore economy becomes more digitized and, hence, reliance on the digital world continues to grow, it is important that cloud and digital service owners keep abreast of the changing legal requirements and maintain adequate cybersecurity measures to ensure compliance.


1 The CSA's press release can be accessed at <>.

2 Currently, 11 sectors are designated as CII sectors under the Cybersecurity Act on the basis they provide essential services, namely sectors relating to energy, info-communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, functioning of government and media.

3 Apart from the CSA, specific CII sectors may also be subject to regulatory oversight by sector specific regulators which may impose more stringent cybersecurity regulations to cater to the specific cybersecurity needs of such CII sector. For example, the telecommunications sector is also specifically regulated by the Infocomm Media Development Authority (IMDA) and hence a CII owner within the telecommunications sector will have to comply with both the CSA and IMDA's regulations.


ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Merck Fosters Healthcare Of The Future

By McDermott Will & Emery attorneys McDermott Will & Emery December 02 , 2022

Artificial intelligence and machine learning have led a digital transformation in healthcare, expanding providers’ resources and improving the lives of people around the world.

A Tsunami of Lawsuits Is Expected to Slam Institutions in the Wake of New York Adult Survivors Act

By Greer Griffith McDermott Will & Emery December 01 , 2022

A new revival window opened on Thanksgiving Day for filing sexual assault and abuse lawsuits that would otherwise be time-barred by the New York statute of limitations.

Tax Court Holds That Deficiency Petition 90-Day Time Limit Is Jurisdictional

By Andrew R. Roberson McDermott Will & Emery December 01 , 2022

Last summer, the Supreme Court of the United States held that the 30-day time limit to file a Collection Due Process (CDP) petition is a non-jurisdictional deadline subject to equitable tolling (Boechler, P.C. v. Commissioner).

More From Cybersecurity

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

Featured Stories