Lawmakers in Singapore updated the nation’s cybersecurity regulations on May 7, significantly enhancing the authority of the Cyber Security Agency (CSA) and broadening the definition of critical infrastructure to include cloud services. The revised Cyber Security Act mandates that operators of critical information infrastructure (CII) report cybersecurity incidents to the government, reflecting the growing complexity and risks of the cyber threat landscape.
Janil Puthucheary, senior minister of state for the Ministry of Communications and Information, emphasized the need for updated regulations due to the increasing reliance on cloud infrastructure and third-party providers:
“The 2018 Act was developed to regulate CII that were physical systems, but new technology and business models have emerged since,” he said, highlighting the necessity for the Act to evolve to maintain security and resilience against cyber threats.
Singapore’s amendment follows a regional trend of bolstering cybersecurity. In April, Malaysia passed its own Cyber Security Bill, aiming to establish a robust cybersecurity framework. Additionally, Japan, the Philippines, and the US initiated a trilateral information-sharing arrangement to counter threats from China, North Korea, and other nations.
The CSA’s enhanced regulations enjoy broad support in Singapore, following extensive consultations with critical infrastructure providers, citizens, businesses, and legal experts. Donny Chong, product director at denial-of-service defense firm Nexusguard, noted the urgency for stronger regulations due to the increasing number of cyber threats impacting essential services and national security.
The original Cybersecurity Act was designed to protect CII and establish a licensing framework for cybersecurity service providers. However, the rise of cloud computing and international service providers necessitated stronger regulatory measures. The amendment classifies businesses and infrastructure operators into five categories, including provider-owned CII and foundational digital infrastructure services, requiring audits, risk assessments, and incident reporting.
Lim Chong Kin, managing director at Drew & Napier, emphasized that the new regulations would impose increased compliance costs on businesses but are essential for adapting to the evolving cyber landscape. Singapore remains a prime target for cyber threats due to its open digital economy and reliance on global trade, with more than 80% of organizations experiencing cyber incidents in the past year.
As artificial intelligence and quantum computing further disrupt the threat landscape, ongoing regulatory updates and cultivating a cyber-literate population are crucial for securing Singapore’s cyberspace. Puthucheary reaffirmed the need for essential service providers to remain responsible for the cybersecurity of their systems, ensuring the nation’s digital infrastructure remains robust and resilient.