Vendors offering two categories of cybersecurity services in Singapore now must apply for a licence to continue providing such services. They have up to six months to do so or will have to cease the provision of such services, if they do not wish to face the possibility of a jail term or fine.
Specifically, companies that provide penetration testing as well as managed security operations centre (SOC) monitoring services will need a licence to offer these services in Singapore. These include companies and individuals directly engaged in such services, third-party vendors that support these companies, and resellers of the licensable cybersecurity services, according to Cyber Security Authority (CSA).
The industry regulator said the licensing framework, effective from April 11, was parked under the country’s Cybersecurity Act and aimed to better protect consumers’ interests. It also served to improve service providers’ standards and standing over time.
CSA added that the two service categories were prioritised to kickstart the licensing regime because providers of these services had significant access into their customers’ ICT systems and sensitive data.
Should such access be abused, the client’s operations could be disrupted, the regulator noted.
It added that because these services were widely available and adopted, they also had the potential to cause significant impact on the wider cybersecurity landscape.
Existing vendors currently engaged in the provision of either or both service categories had up to October 11, 2022, to apply for a licence. Those that failed to do so on time would have to stop providing the service until a licence was obtained.
Services providers that submitted their application for a licence within six months would be permitted to continue delivering the licensable service until a decision on the application was made.
Any person who provided the licensable services without a licence after October 11, 2022, would face a fine not exceeding SG$50,000 ($36,673) or a jail term of up to two years, or both.
Individuals would have to pay SG$500 for their licence, while businesses would have to fork out SG$1,000. Each licence would be valid for two years.
CSA said there would be a one-time 50% fee waiver for applications submitted within the first year, before April 11, 2023.
A Cybersecurity Services Regulation Office had been set up to administer the licensing framework and facilitate communications between the industry and wider public on all licensing-related issues.
Its responsibilities include enforcing and managing licensing processes and sharing resources on licensable cybersecurity services with the public, such as providing the list of licensees.
Commenting on other cybersecurity services that might be licensable in future, CSA said it would “continue to monitor international and industry trends” as well as engage the industry, where necessary, to assess if new service categories should be included.
The launch of the licensing framework comes after a four-week consultation period that ended last October.
CSA said it received 29 responses from both local and international market players as well as industry associations and members of the public.
One such feedback pertained to information required, upon request, to facilitate the regulator’s investigations into matters such as breaches by licensees or related to the licensee’s continued eligibility. There were suggestions that the language of the proposed licence conditions be tightened, so requests were not overly generic, and for there to be more clarity on the types of information that might be requested.
CSA said it had revised the language of the licence conditions to reduce uncertainty for licensees and that requests for such information would be limited to what was necessary for the purpose of the investigation.