The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) commenced work on the Act in late 2015. Since then, MCI and CSA had conducted five rounds of closed-door consultations with key stakeholders, ranging from government agencies, potential Critical Information Infrastructure (CII) owners, industry associations, and cybersecurity professionals. MCI and CSA held a public consultation on the draft Bill from 10 July to 24 August 2017, where the deadline was extended by 3 weeks, in response to public requests for more time to provide feedback. A total of 92 submissions were received during the public consultation process.

Respondents were generally supportive of the Bill and understood the importance of such a Bill to enhance the cybersecurity landscape in Singapore for the benefit of the people and businesses. They shared the Government's concerns on cyber threats and the impact of cyber-attacks on Singapore. They acknowledged the importance of the Bill in providing the necessary legislative framework to better protect CII, and to give CSA the legislative powers required to act on cybersecurity incidents that impact the nation. Several respondents also agreed with the importance of sharing cybersecurity information between CSA and other organisations, and the need to safeguard the sources and information disclosed.

However, several respondents expressed reservations with the proposed licensing framework. They felt that the requirements to be imposed on businesses should not be too onerous. Several suggested simplifying the licensing framework, or making it voluntary, e.g. through an accreditation regime.

The feedback provided has been taken into consideration in the drafting of the Bill.

The Cyber Security Agency of Singapore (CSA) will be engaging the industry further on implementation details such as the licensing requirements for cybersecurity service providers.

Legislation in other countries generally accords authorities with powers in some of the following five areas:
(i) Standards setting,
(ii) Information sharing,
(iii) Incident management,
(iv) Crisis management, and
(v) International conduct.

The Act is not out of step with international developments, but will be one of the most comprehensive cybersecurity laws covering three of the five areas: standards setting, information sharing, and incident management. The Act does not provide for emergency/crisis powers, or international conduct (e.g. harmonisation with other countries' laws, or mandate for international engagement).

Notably, Singapore will be among the first countries in the world to regulate cybersecurity service providers, specifically penetration testers and managed security operations centre (SOC) monitoring service providers.

The licensing framework will be light-touch when introduced, in that licensed cybersecurity service providers will need to fulfil only basic requirements that are set out in Part 5 of the Act. For example, they have to ensure that their key executive officers and employees performing the licensable services are fit and proper persons, as well as keep service records for a duration of 3 years. Where licensable cybersecurity services are provided to related companies, the providers will not require a licence.

Beyond the Act, the Cyber Security Agency of Singapore (CSA) will continue to work with the industry and professional association partners to establish voluntary accreditation regimes for cybersecurity professionals, to improve the standing of cybersecurity professionals. This will complement the light-touch licensing framework for cybersecurity service providers, which will not impose quality requirements as part of the licensing conditions at the outset.

There are no laws in Singapore today that directly ensures the routine protection of Critical Information Infrastructure (CII). Today, Section 15A of the Computer Misuse and Cybersecurity Act (CMCA) empowers the Minister for Home Affairs to issue a certificate to authorise or direct a person or an entity to take measures to comply with requirements necessary to prevent, detect or counter a threat to the national security, essential services, defence or foreign relations of Singapore if the Minister is satisfied that it is necessary for the purpose of preventing, detecting or countering any threat to the national security, essential services, defence or foreign relations of Singapore. However, the CMCA, which mainly deals with cybercrimes such as the unauthorised access of computer material, does not provide a regulatory framework for the routine and proactive protection of CII.

The Cybersecurity Act will enhance the powers available in Section 15A of the CMCA by providing more powers and which focus explicitly on cybersecurity. For instance, Section 15A allows the Government to request for information to protect against cybersecurity threats, but does not mandate CII incident reporting or facilitate the sharing of cybersecurity information with the Government. The Cybersecurity Act will address these gaps.

Today, the Cyber Security Agency of Singapore (CSA) works with sector regulators to coordinate cybersecurity efforts to protect CII within their own sectors. The sectors have varying levels of cybersecurity readiness, and sector regulators have varying powers under their respective legislation and regulations to regulate CII within their sectors on cybersecurity matters.

While some Sector Leads have powers to regulate CII owners, such regulation tends to be outcome-based and was not designed with cybersecurity in mind. For example, rail operators and telcos are largely regulated based on their ability to meet service standards, not based on their compliance with cybersecurity requirements.

Other Sector Leads do not see themselves as regulators as their relationship with the CII are contractual, or they are CII owners themselves. These sectors are unlikely to have strong incentives to invest in cybersecurity of their own accord.