Cybersecurity is a collective responsibility, and we must all do our part. Much of the cost of strengthening cybersecurity protection and enhancing responses to cybersecurity threats and incidents at the national level are borne directly by the Government. This includes resourcing national-level cybersecurity infrastructure and manpower, conducting regular cybersecurity exercises to validate cybersecurity incident management processes, and deploying National Cyber Incident Response Teams (NCIRT) to respond to cybersecurity incidents.

Today, many Critical Information Infrastructure (CII) owners have already put in place cybersecurity measures arising from regulations in sectors such as banking and finance and infocomm. The Act aims to strengthen the cybersecurity of CII in all sectors, including those that currently do not have any cybersecurity requirements. The requirements under the Act have been carefully scoped and are considered not too onerous.

There will be cost implications for some CII owners who will have to strengthen the cybersecurity posture of their computer systems to meet the requirements of the Act. To minimise regulatory costs, we will work with sector regulators to streamline the cybersecurity audit and incident reporting processes in order to harmonise cybersecurity requirements under the Act and in their respective sectors, wherever possible.

It is also in the interest of CII owners and their vendors to spend adequately on cybersecurity measures. They should consider not only the upfront cost of such measures, but also the cost of potential breaches, including the intangible costs arising from any damage to their reputation. If organisations follow good security-by-design practices, they will spend less overall in the long-run to fix cybersecurity issues.