Headlines published in the last 30 days are listed on SLW.

Cyber-security service providers will soon need to be licensed

Cyber-security service providers will soon need to be licensed

Source: Straits Times
Article Date: 21 Sep 2021
Author: Kenny Chee

The licence aims to give greater assurance of safety to customers and raise the quality of the providers, said the Cyber Security Agency of Singapore.

Cyber-security service providers, which verify if businesses are vulnerable to hacking and monitor information technology systems for suspicious activities, will soon have to be licensed.

This aims to give greater assurance of safety to customers and raise the quality of the providers, said the Cyber Security Agency of Singapore (CSA) yesterday.

The providers, which can be companies or individuals, will be licensed under a new framework expected to kick in by early next year. CSA has launched a public consultation on the framework.

Service providers will be given six months from the start of the framework to apply for a licence.

One of the services to be licensed is "penetration testing", which checks if an organisation can identify and respond to simulated cyber-security attacks.

Another service to be licensed entails monitoring activities in computer systems to identify threats.

If these services are offered without a licence, providers can be fined up to $50,000, jailed for up to two years, or both.

Licences can also be revoked or suspended. CSA can fine an errant company or individual up to $10,000 for each failure to comply with a licensing condition.

The total fine should not exceed $50,000 for various conditions not complied with on a particular occasion.

The requirements include needing key officers to be "fit and proper". They should not have any criminal convictions or judgment against them in civil proceedings such as those involving fraud and dishonesty.

Companies or individuals must inform CSA at least 30 days before the appointment of a new key officer. They must also provide information to help it investigate any potential breaches of the licence.

They also need to keep basic records of the services provided for at least three years, including client names and details of the work done, and keep clients' information confidential.

The framework does not cover offerings for non-business consumers, such as anti-virus software or services that monitor e-mails for malware.

Singapore is believed to be one of the first countries in the world to introduce licensing for cyber-security service providers.

The consultation on the licensing conditions also comes after a July report by CSA showed that cyber threats here have risen.

For instance, "zombie" devices linked to the Internet, and infected with malware that allow hackers to control them and launch cyber attacks, have tripled their numbers here amid the Covid-19 pandemic.

On the aims of the framework, CSA said that as cyber-security risks become more widespread, the demand for credible cyber-security services will continue to grow.

But some services offered can be sensitive and intrusive. If the service providers' access to clients' systems and networks is abused, it can compromise and disrupt customer operations, said the agency. Hence, the providers need to be fit and proper.

Licensing also seeks to improve standards. CSA noted that the "risks of services being carried out by incompetent or substandard providers are multifold". They could cause computer systems to become vulnerable or damaged and lose information. They could even endanger other systems.

Even so, CSA said it does not initially intend to impose quality requirements on service providers in a bid to strike a balance between industry development and cyber-security needs.

"Nonetheless, it is envisaged that licensing could serve as the means through which the quality of (service providers) could be raised over time in future, such as through the introduction of a code of ethics or certain baseline competency requirements," it added.

Licensing also aims to address an information gap that can exist between service providers and their customers by helping the latter identify credible providers.

CSA said customers, especially smaller buyers, may not have expert knowledge and not know which providers are ethical or of good quality.

The agency estimates that there are more than 150 licence applications to be submitted.

Details of the industry consultation on the framework can be found at and the public has until 5pm on Oct 18 to give feedback.

Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.


Latest Headlines

No content

A problem occurred while loading content.

Previous Next

Terms Of UsePrivacy StatementCopyright 2021 by Singapore Academy of Law
Back To Top