On 11 April 2022, The Cyber Security Agency of Singapore announced the launch of a licensing framework for providers of the following cybersecurity services (“LCS”):

  1. managed security operations centre monitoring service; and
  2. penetration testing service.

Under the new framework, cybersecurity service providers (“CSPs”) who are already engaged in the business of providing either or both of the LCSs are given until 11 October 2022 to apply for a licence with the Cybersecurity Services Regulation Office (“CSRO”) to continue providing LCS after 11 October 2022. Pursuant to the new framework, Part 5 and the Second Schedule to the Cybersecurity Act of 2018 will both come into effect.

CSPs providing LCS to another person1 without a licence after 11 October 2022 shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or both. An extension of time would be given to CSPs who have applied for the LCS licence by 11 October 2022 and are awaiting a decision on their LCS licence application.

Requirements

Applications can be made on the CSRO webpage. The fees for each licence are $1,000 for business entities and $500 for individuals, and the licence is valid for up to 2 years from the date of its issuance. A 50% fee waiver will be granted for all applications lodged by 11 April 2023.

Due to the sensitive nature of the LCS, Applicants are required to be ‘fit and proper persons' in order to be eligible for the licence. Applicants are required to submit a declaration in relation to the matters listed in section 26(8) of the Cybersecurity Act, identification documents, as well as their curriculum vitae. With respect to business entities, every officer2 of the business entity would also have to complete and submit a separate personal declaration. Overseas applicants are required to submit a Certificate of Clearance (or its equivalent in the applicant's home country) to show that the relevant officer does not have any record of criminal conviction in his or her home country.

Where there are any changes or inaccuracies in the information and particulars previously given to the CSRO in relation to the application, CSPs are required to notify the CSRO within 14 calendar days of such change or upon knowledge of such inaccuracy. This includes changes to the appointment of any officers of the business entities.

Renewal

CSPs should renew their licence at least 2 months prior to the expiry of their licence. Failure to do so would result in the CSP having to apply for a new licence and the CSP will be required to suspend its operation, i.e. refrain from providing LCS until a new licence is granted.

Complaints

The CSRO also responds to queries and feedback from businesses and members of the public, allowing complaints to be made against unethical and incompetent CSPs. According to section 26(9), the licensing officer “may take into account any matter that the licensing officer considers relevant” when considering whether an applicant/officer is a “fit and proper person”, as this is an essential criterion for the application and renewal of the LCS.

Footnotes

1. with the exception of companies providing LCS solely to their related companies or in-house consumers of LCS.

2. refers to:

  • any director, partner, or individuals listed in the business profile, with the exception of shareholders and company secretary; and
  • any other person who is responsible for the management of the business entity.

Originally published 5 May, 2022

This update is provided to you for general information and should not be relied upon as legal advice.