Singapore: Licensing requirements for cybersecurity service providers come into effect

Providers of managed security operations centers and penetration testing services must apply for the requested license by October 11, 2022.

In short

Providers of managed security operations centers and penetration testing services, collectively referred to as cyber security services (LCS), should keep in mind that Part 5 (and Annex 2) of the 2018 Cyber ​​Security Act will enter into force on 11 April 2022 ., implemented by Cybersecurity Regulation (Cyber ​​Security Service Providers) 2022. To assist LCS providers in applying for the requested licenses, the Cybersecurity Services Office has published an online collection of resources including application guides and a licensee information package.

Below is a summary of the background and objectives of this licensing framework, as well as the criteria for issuing an LCS license, time frame, and procedure.

One of the goals of the Cyber ​​Security Act, which establishes a legal framework for monitoring and maintaining national cyber security in Singapore, is to establish a framework for licensing “light touch” for cyber security service providers. This licensing framework supports the efforts of the Singapore Security Agency (CSA) to raise awareness and encourage the adoption of cybersecurity solutions by businesses by addressing three main considerations:

Ensure that LCS is “appropriate and correct”, capable of reducing security and safety risks due to LCS’s significant access to its clients ‘computer systems and networks and their deep understanding of the position and vulnerabilities of its clients’ cybersecurity. Introducing a licensing framework, which will be light at first and will not impose any quality requirements, similar to the registration regime, but with a progressive improvement of the quality of cybersecurity service providers (CSPs) through the future introduction of a code of ethics and certain basic competency requirements. especially smaller customers who do not have internal cybersecurity expertise, identifying credible CSPs that match their risks and budget and increasing demand for such services

From September 20, 2021 to October 18, 2021, the CSA conducted industry consultations on proposed licensing conditions and bylaws. On April 11, 2022, a review of feedback by the Agency was published with answers on certain areas of feedback, which we will note below in the explanation of certain points of the criteria for issuing LCS licenses and licensing conditions.

Click here to access the full alert.

* * * * *

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow was founded with limited liability and is a member of Baker & McKenzie International, a global law firm with member law firms around the world. According to common terminology used in professional service organizations, a reference to “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, a reference to an “office” means the office of any such law firm. This can be qualified as “lawyer advertising” which requires notification in some jurisdictions. Previous results do not guarantee a similar outcome.