Singapore on Monday (July 10) released for public consultation a draft Cyber security Bill that requires critical information infrastructure owners in Singapore to report security breaches and cyber-security vendors providing highly sensitive services to be licensed, according to a report in The Straits Times Online.
Singapore’s Cyber Security Agency (CSA) which spent two years working on the proposed legislation said the overarching bill is consistent with efforts to raise Singapore’s cyber security posture.
CSA chief executive David Koh said the current law, the Computer Misuse and Cyber security Act, focuses more on cyber crime. But as the threat landscape evolves, he said it is better to have an omnibus Bill that oversees the cyber security of essential services as a whole.
The Bill aims to harmonise the requirements to protect Critical Information Infrastructure (CII) across the public and private sectors. It also aims to clarify organisations’ obligations to share information to facilitate in the investigations of cyber security threats or incidents undertaken by CSA.
Citing the recent WannaCry and NotPetya ransomware attack, Mr Koh said “Around the world we have seen attacks affecting critical infrastructure such as energy and power supply.”
He warned that Singapore is vulnerable even though its critical sectors were not disrupted by the ransomware.
The bill mandates CII owners to do the followings: notify the commissioner of CII suffering a cyber security attack; conduct regular system audits by a commissioner-approved third-party; conduct regular risk assessment of the CII and comply with the directions issued by the commissioner, including providing access to premises, computers or information during investigations.