Under section 7(1) of the Cybersecurity Act, a Critical Information Infrastructure is a computer or a computer system located wholly or partly in Singapore, necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore.

The Cyber Security Agency of Singapore (CSA) has worked closely with Sector Leads to identify the Critical Information Infrastructure (CII) supporting the provision of essential services across 11 critical sectors.

The critical sectors are Energy, Water, Banking & Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Government, Infocomm, Media, and Security & Emergency Services. The list of essential services in these sectors are published in the First Schedule of the Act.

Under Section 7 of the Act, CII refers to specific computers and computer systems that are explicitly designated by the Commissioner of Cybersecurity. It is not the case that firms and sectors will be considered as CII.

The list of CII and CII owners will be finalised, before CSA and Sector Leads implement the Cybersecurity Act in the second half of 2018. The list of CII and CII owners are secret for national security reasons.

The implementation of the licensing framework will be communicated at a later date. 

We intend to keep licensing requirements simple to minimise the operational costs on businesses. The requirements that licensed service providers have to comply with include:

• Ensure that their key executive officers performing the licensable services are fit and proper persons as defined in S26(8). For example, ensure that the individual has not been convicted of any offence involving fraud, dishonesty or moral turpitude.
• Keep for at least 3 years, basic records on the cybersecurity services that it has provided. This was reduced from the earlier proposed 5 years, so as to lighten the administrative requirements on licensed cybersecurity service providers.

There is a breadth of views from cybersecurity service providers. Some welcome the regulation, as it professionalises the industry at a time when more organisations are searching for and consuming cybersecurity services. However, there were some who expressed concerns that licensing regime could increase the operational costs of service providers and impact the development of a vibrant cybersecurity ecosystem in Singapore. In response to concerns, CSA has simplified the licensing regime following consultation, such as by doing away with the need for specific licensing of individual practitioners.