New regulations aim to strengthen cybersecurity oversight and address emerging threats
Proposed amendments to Singapore’s Cybersecurity Act were tabled in Parliament on April 3, aiming to expand the Cyber Security Agency of Singapore’s (CSA) oversight of organisations covered by the law. The changes will increase the number of organisations that are considered attractive targets for cyberattacks and therefore subject to stricter cybersecurity requirements.
One significant change is the requirement for Critical Information Infrastructure (CII) owners to report incidents that target systems peripheral to CII, including those of their suppliers. Previously, incident reporting only applied to CII systems or systems that interconnect with CII. This update is expected to improve CSA’s situational awareness and response to cyber threats.
The amendments also introduce the regulation of Systems of Temporary Cybersecurity Concern (STCC), which include systems used for high-profile events like the World Economic Forum or temporary systems used to track vaccine distribution. These systems, which were not previously designated as CII, will now be required to report cybersecurity incidents and provide related information upon request.
Additionally, organisations holding sensitive data may be designated as Entities of Special Cybersecurity Interest (ESCI) and subject to cybersecurity obligations, though they will not be required to submit audit reports or participate in national cybersecurity exercises like CII owners.
The amendments will also impose civil penalties for breaches of the Act, allowing the CSA commissioner to recommend civil action instead of criminal penalties when the impact of non-compliance is deemed low. The proposed changes will be debated and voted on in a future Parliament session.
