The Singapore Parliament passed the Cybersecurity (Amendment) Bill (the Bill) on 7 May 2024, amending the Cybersecurity Act 2018 (the Act). The Act is Singapore’s legal framework for the supervision and maintenance of national cybersecurity by the Cyber Security Agency of Singapore (CSA), setting out measures to prevent, manage and respond to cybersecurity threats and incidents. The Bill seeks to extend the scope of the Act over new technologies and business models that have emerged over the past few years.
During the PodChats interview Gaurav Keerthi, head of Advisory and Emerging Business at Ensign InfoSecurity, acknowledged that the 2018 Cybersecurity Act was groundbreaking (for its time). “But now (the Act) needs updating due to technological and business changes,” he continues.
He adds that key amendments would include expanded oversight to cover more systems, clearer definitions of cybersecurity attacks, regulation of entities of special cybersecurity interest, and oversight of foundational digital infrastructure.
“The Act also clarifies the regulation of third-party vendors, emphasising that while functions can be outsourced, cybersecurity responsibility cannot. Overall, these changes aim to elevate cybersecurity standards and ensure broader protection for society,” says Keerthi.
Impact of amendments on Singapore businesses
Keerthi says the amended Cybersecurity Act will raise cybersecurity standards across diverse organisations, benefiting not just Singapore but the region and beyond. He explains that it introduces a defined compliance framework, ensuring appropriate cybersecurity levels for different types of businesses, from essential service providers to other sectors.
“This regulatory change will enhance trust in the digital ecosystem, reassuring the public that measures are in place to keep them safe online, akin to how the police protect physical safety.”
Gaurav Keerthi
He concedes that the Act might bring cost implications for compliance, impacting organisations differently based on their service type. Essential service providers face higher compliance costs, while others have lower price tags.
He explains that this necessary expense is akin to fire safety in real estate, essential for doing business in the digital age. “Compliance also involves administrative efforts, including audits and certifications. Some companies fear higher costs may disadvantage them, but investing in cybersecurity can distinguish them from competitors,” he elaborates.
Keerti opines that consumers are increasingly willing to pay for reliability and security, much like Apple's emphasis on privacy, making cybersecurity investments beneficial for businesses.
Industries most impacted
The claws of the Cybersecurity Act extend beyond the already heavily regulated banking, financial services and insurance industries. Keerthi explains that the need for enhanced cybersecurity isn't new to companies, as cyberattacks affect diverse sectors like law firms, manufacturing, and retail.
“The amended Act will be enforced through consultation, ensuring organisations understand compliance requirements and their importance,” according to Keerthi. He reveals that public consultations have been ongoing, incorporating feedback to make the Act business-friendly.
“Financial institutions remain prime targets, but manufacturing and healthcare sectors will also benefit from regulated cybersecurity standards, improving overall business environments. The healthcare sector, in particular, will see higher standards through parallel legislation, impacting both large providers and small clinics.”
Gaurav Keerti
The road to compliance
Keerthi believes that the main change for organisations will be the formalisation of cybersecurity compliance, requiring structured processes and governance similar to financial internal governance. This ensures consistent and repeatable cybersecurity practices.
He explains that while many companies already take cybersecurity seriously, the Act will push them to demonstrate compliance systematically.
“The Cybersecurity Agency has provided extensive guidance, and advisory support is available to ease the transition. This evolution will embed cybersecurity into organisational governance, making it a routine part of business operations without causing significant disruption,” he continues.
Beyond Singapore’s borders
The Cybersecurity Act may have been designed principally for Singapore; perpetrators of cyber threats recognise no boundaries. Ensign's Cyber Threat Landscape Report highlighted that threats in Asia differ from those in the West, emphasising the need for region-specific awareness. Singapore's regulatory approach offers one governance model among many global strategies.
He reveals that many countries look to Singapore for cybersecurity regulatory innovation, particularly regarding emerging technologies. He concedes that not every approach will succeed due to the rapid pace of technological advancement, Singapore's proactive stance allows for experimentation and adaptation.
“AI regulation, for example, is a global challenge, with efforts from the EU and Singapore. Observing Singapore's regulatory developments is exciting, as it prompts global responses and adaptations, showcasing its role as a fast-moving leader in cybersecurity regulation,” he opines.
Advice for cybersecurity leaders
Keerthi advises CIOs and CISOs to see cybersecurity regulations as opportunities rather than threats. He stressed that by leveraging regulations to secure resources, they can build robust and reliable digital infrastructures, fostering trust and attracting more customers.
He warns that in sectors like banking, where trust is paramount, failure to invest in cybersecurity leads to customer loss.
“Viewing regulations as a chance to enhance cybersecurity and gain a competitive edge will be crucial for CIOs and CISOs in attracting customers and ensuring organisational resilience,” concludes Keerthi.
Click on the PodChats player and listen to Keerthi’s views and recommendations on how organisations can leverage the amended bill.
- Provide a background of the CSA-proposed Cybersecurity Amendment Bill? What are the main regulatory changes proposed and new requirements?
- What will be the projected effects (both positive and negative) of this new law on Singapore enterprises? [Singapore CCOP]
- Outside of the banking and financial services industry following stringent cybersecurity regulations, what kind of enterprises (type of businesses) will be most affected by such regulatory changes?
- Speaking of compliance, what steps can enterprises take to comply with new requirements and regulations? To what extent will the amendments require changes current cybersecurity practices?
- Singapore has led the ASEAN region when it comes to cybersecurity readiness. How do you see these
- Do you have any suggestions on how to improve the Cybersecurity Amendment Bill? developments in Singapore influencing other regulators in ASEAN?
- What is your advice for CISOs and CIOs as it relates to processing cybersecurity regulations in the years to come?