The Singapore Cyber Security Agency (CSA) has announced the commencement of its cybersecurity service provider licensing system under Part 5 of the Cybersecurity Act (CS Act). The licensing structure, as well as Part 5 of the CS Act and the Second Schedule to the CS Act, went into force on April 11th.
The approach intends to better protect consumers’ interests while also addressing the information imbalance that exists between consumers and cybersecurity service providers. Over time, the regulatory regime is expected to improve service providers’ standards and reputations. The CSA will license two categories of cybersecurity service providers, according to a news release: penetration testing and managed security operations center (SOC) monitoring.
Because service providers delivering these two services have extensive access to clients’ computer systems and sensitive information, they are prioritized. The client’s business could be interrupted if that access is misused. Furthermore, because these services are now widely available and used in the market, they have the potential to have a substantial impact on the whole cybersecurity landscape.
Existing cybersecurity service providers who are already in the business of delivering either or both licensable cybersecurity services will have six months (until October 11, 2022) to apply for a license under the new framework. According to the press release, cybersecurity service providers that fail to apply for a license in a timely manner will be required to stop providing licensable cybersecurity services until a license is secured. The license is valid for two years, with costs of $500 and $1,000 for individuals and businesses, respectively. To help businesses cope with the impact of COVID-19, a one-time 50% cost waiver will be offered for all license applications submitted within the first twelve months.
CSA held a four-week consultation period from September 20 to October 18, 2021, to get feedback on the proposed license conditions and draught subsidiary legislation. A total of 29 replies were received from a variety of local and international industry actors, trade associations, and members of the general public. The comments were taken into account when the licensing framework was finalized, according to the press release.
The Cybersecurity Services Regulation Office (CSRO) was established by the CSA to oversee the licensing framework and to enable communications with the industry and the general public on all licensing-related issues. The CSRO’s responsibilities include implementing the licensing framework, which includes things like monitoring licensing processes and imposing and enforcing license requirements. It will also reply to licensees’, businesses’, and the general public’s questions and feedback. It will create and share materials with consumers about licensable cybersecurity services, such as a list of licensees.
CSA introduced a cybersecurity certification program earlier this month to assist businesses in implementing suitable cybersecurity measures based on their cyber risk profiles. The marks validate cybersecurity measures adopted at the organizational level, not the cybersecurity of specific products or services, according to OpenGov Asia. The Cyber Essentials mark is recommended by the CSA for businesses that are just starting out on their digital transformation journey. The Cyber Trust mark is recommended if the majority of corporate operations are handled digitally. Customers will be able to see whether businesses have implemented robust cybersecurity measures and what actions they’ve done to prevent cyber-attacks, such as testing various scenarios and establishing a business continuity plan.
