Within All Government Websites
Frequently Asked Questions
All of these words
This exact phrase
Any of these words
Without these words
Whole of Government
Administration of the Act
How will the Act empower Sector Leads?
The Act allows the Minister to appoint Assistant Commissioners (ACs) to assist the Commissioner to oversee and enforce cybersecurity requirements on the owners of Critical Information Infrastructure (CII), and the intention is to appoint officers from sector regulators as ACs to perform this role. This is because sector regulators understand the unique contexts and complexities in their sectors, and will be best-placed to advise on the necessary requirements so as to strike a balance between their sector's cybersecurity needs and operational considerations.
The Act will provide the Cyber Security Agency of Singapore (CSA) and ACs appointed from Sector Leads, such as the Energy Market Authority (EMA) for the energy sector, with the necessary levers to proactively protect our CII and respond to cybersecurity threats and incidents.
However, it is recognised that not all Sector Leads may be ready to assume the cybersecurity regulatory role at the current moment. The Act provides for the flexibility for the Commissioner to assume direct oversight over certain CII.
What are the powers of the Assistant Commissioner?
The Assistant Commissioner has and may exercise all the powers of the Commissioner as delegated except for the powers to:
appoint authorised officers (Section 6)
designate Critical Information Infrastructure (CII) (Section 7)
withdraw designation of CII (Section 9)
take possession of computers or equipment for the purpose of carrying out further examination of analysis during serious cybersecurity incidents (Section 20)
For the power to issue written directions (Section 12), the Assistant Commissioner will be administratively empowered to issue written directions within his/her sector for operational expediency.
Do sectoral regulations have cybersecurity requirements? Are these requirements comparable to the powers in the Cybersecurity Act?
A few sectors such as the Banking and Finance sector have regulatory levers to tackle cyber threats and incidents. For example, the Monetary Authority of Singapore (MAS) has Guidelines on Technology Risk Management (TRM), as well as the MAS Notice on TRM (pursuant to Section 55 of Banking Act which empowers MAS to impose requirements on banks). The TRM Notice imposes obligations on credit card or charge card licensees to make reasonable efforts to maintain a high availability of critical systems, to establish a recovery time objective for each critical system, to notify MAS of a relevant incident, to submit a root cause and impact analysis report to MAS of the relevant incident, and to implement IT controls to protect customer information from unauthorised access or disclosure. Therefore, in these aspects, MAS's existing powers are similar to the powers over Critical Information Infrastructure owners in the Cybersecurity Act.
However, most sectors have outcome-based legislation, in which penalties apply after performance or service standards fall. The Act thus provides a common set of powers to Assistant Commissioners appointed from such sector leads to empower them to enforce cybersecurity requirements within their sectors.
What happens if an entity breaches both the Cybersecurity Act and the Sector Lead's own Act / existing frameworks on cybersecurity? Will the Cyber Security Agency of Singapore (CSA) or the Sector Lead take action?
If the directions are issued drawing powers from the Cybersecurity Act, enforcement actions for any non-compliance should be taken by the Assistant Commissioner in consultation with the Commissioner as per the penalty framework under the Cybersecurity Act.
The Cybersecurity Act does not prevent Sector Leads from setting more stringent cybersecurity requirements under their sectoral regulations to cater to the cybersecurity needs of the sector. In such cases, the sectoral regulations would take precedence over the Cybersecurity Act.
If you are unable to find an answer to your query, please submit your
to let us know how we can help you.
Rate this Website
© 2019, Government of Singapore