Cyber Security Agency of Singapore - FAQ

Frequently Asked Questions

Advanced Search

Advanced Search

Close Panel

All of these words

This exact phrase

Any of these words

Without these words

Search within:

CSA
Whole of Government

Expand All

Cybersecurity Act

Licensing of Cybersecurity Service Providers

1.	Globally, Singapore would be one of the first countries to license cybersecurity service providers. What are some views from such providers? There is a breadth of views from cybersecurity service providers. Some welcome the regulation, as it professionalises the industry at a time when more organisations are searching for and consuming cybersecurity services. However, there were some who expressed concerns that licensing regime could increase the operational costs of service providers and impact the development of a vibrant cybersecurity ecosystem in Singapore. In response to concerns, CSA has simplified the licensing regime following consultation, such as by doing away with the need for specific licensing of individual practitioners.
2.	What are the Cyber Security Agency of Singapore's (CSA) justifications for introducing the licensing framework? The licensing framework is only one part of the Cyber Security Agency of Singapore (CSA)'s overall strategy to develop and strengthen the cybersecurity industry in Singapore. It will be complemented by CSA's partnerships with the industry and professional association partners to establish voluntary accreditation regimes for cybersecurity professionals. CSA's considerations for the licensing framework are to help: Provide greater assurance of security and safety to consumers of cybersecurity service providers, as such services become more common and sought after; Raise the quality of the standards of these service providers over time; and Address information asymmetry between service providers and consumers of cybersecurity services.
3.	Why did the Cyber Security Agency of Singapore (CSA) decide to license only providers of penetration testing and managed security operations centre (SOC) services? The Cyber Security Agency of Singapore (CSA) intends to adopt a light-touch approach to license penetration testing and managed security operations centre (SOC) monitoring because these services: Have access to sensitive information from their clients and could have significant impact if not delivered well or misused, and Are also relatively mainstream in our market and hence have a significant impact on the overall security landscape. CSA will continue to monitor international and industry trends and assess if new types of cybersecurity services are considered high-risk, and evaluate whether the providers of such services should be licensed.
4.	What are the licensing conditions that licensed cybersecurity service providers have to comply with? We intend to keep licensing requirements simple to minimise the operational costs on businesses. The requirements that licensed service providers have to comply with include: Ensure that their key executive officers performing the licensable services are fit and proper persons as defined in S26(8). For example, ensure that the individual has not been convicted of any offence involving fraud, dishonesty or moral turpitude. Keep for at least 3 years, basic records on the cybersecurity services that it has provided. This was reduced from the earlier proposed 5 years, so as to lighten the administrative requirements on licensed cybersecurity service providers.
5.	When will the licensing framework be implemented? The implementation of the licensing framework will be communicated at a later date.