Note: This article was originally published on 14 April 2022 and updated on 6 July 2023.
A licensing framework adopted by the Cyber Security Agency (CSA) of Singapore in April 2022 requires certain cybersecurity service providers (CSPs) to be licensed before providing their services in Singapore.
The framework currently applies to only two types of cybersecurity services: penetration testing services and managed security operations centre monitoring services. Those services were given priority for regulation because CSPs providing those services have privileged access to their customers’ networks and sensitive information. The licence requirement does not apply to those providing these cybersecurity services only to their related companies.
Persons intending to provide a licensable cybersecurity service must first apply for and be granted a licence (unless they were providing such a service immediately before the licensing framework became effective and have qualified for a temporary exemption). Persons who provide a licensable cybersecurity service without having a temporary exemption or the necessary licence will be subject to a fine of up to S$50,000 or imprisonment of up to 2 years, or both.
Each licensable cybersecurity service requires a separate licence, so a person intending to provide both services must apply for and be granted two licences. Licences are valid for 2 years and may be renewed.
The chief criteria to determine whether an applicant should be granted a licence is whether the applicant is fit and proper. The CSA’s Cybersecurity Services Regulation Office (CSRO), which administers the licensing framework , may consider any factor it considers relevant when assessing fitness and propriety, but for an individual applicant the CSRO will first look at whether they have a criminal or civil judgment against them involving fraud, dishonesty, moral turpitude or breach of trust; whether they suffer from an unmanaged mental health condition; whether they are an undischarged bankrupt; or whether they have had a previous licence revoked. The same general criteria, to the extent relevant, apply to business applicants and to each of their officers (i.e., directors, partners, etc. and persons responsible for the management of the business).
Licensed CSPs must make records in respect of each of its customer engagements that identify the individuals (including employees) and/or businesses who provided licensed cybersecurity services on its behalf. Licensed CSPs must retain each such record for at least 3 years.
The CS Act requires providers of penetration testing services and managed security operations centre monitoring services to be licensed before providing those services in Singapore.
OrionW regularly advises clients on data protection and cybersecurity matters. For more information about the regulation of cybersecurity in Singapore, or if you have questions about this article, or if you require assistance to submit an application for a licence to provide cybersecurity services, please contact us at firstname.lastname@example.org.
Disclaimer: This article is for general information only and does not constitute legal advice.