Cybersecurity service providers must for licenses to operate in Singapore, under new regulations launched by the country’s Cyber Security Agency (CSA) on Monday.
The new licensing framework requires vendors that offer penetration testing, and/or managed security operations centers (SOC) to get a licenses, in recognition that they access customers’ systems and therefore pose a risk. The measures are effective immediately, although existing vendors have until October 11, 2022 to apply for the required licenses.
Those that fail to acquire the necessary licenses will face a fine up to SG$50,000 (US$36,600) and up to two years in jail.
Licensees will need to satisfy regulators that they are fit and proper people, and notify of any new staff they employ on gigs that involve rummaging around inside customer systems. Licenses will cost S$500 for individuals and S$1000 for businesses (365 and $730).
The CSA is having a half-off license sale, waiving 50 percent of fees for applications made prior to 11 April 2023, as an effort to support businesses impacted by COVID-19.
The regulatory org said the new framework would protect consumers and improve practitioner standards.
“In the event that the access is abused, the client’s operations could be disrupted,” said CSA in its canned statement. “In addition, these services are already widely available and adopted in the market, and hence have the potential to cause significant impact on the overall cybersecurity landscape.”
Before implementing the policy, the CSA sought feedback from a mix of local and foreign industry players, industry associations, and members of the public. By the end of the review period in October 2021, the CSA had received 29 responses.
The CSA said while most responses were supportive of the new requirements, some were concerned it would be a regulatory burden and potentially stifle innovation. Specifically, concerns were raised over whether service providers may aggregate or use anonymised client data for threat intelligence purposes, leading CSA to limit the scope of its license condition.
“The use of anonymised information that is within the scope of this condition should be a matter to be agreed upon between the licensee and its client,” said CSA.
Within its responses to the open feedback, CSA clarified that resellers, or overseas cybersecurity service providers who provide licensable cybersecurity services to the Singapore market would also require a license.
Singapore, like most places, has felt the pressure of increased cyber threats in the past few years. The Singapore Computer Emergency Response Team released an advisory in late February stating there was an increased cyberthreat related to the Russian-Ukraine conflict. The org released a list of best practices for securing systems and network infrastructure, monitoring, responding and more.
Acronis has told us that the measures are unlikely to affect their operations as it is a cyber protection development company, but said it was reviewing the regulations.
Kaspersky commented: “Amongst a host of solutions and services Kaspersky provides, it offers Penetration Testing and Managed and Detection Services for enterprises and entities in Singapore.
“As the licensing framework applies to cybersecurity service providers… providing licensable cybersecurity services to the Singapore market, including penetration testing service and managed security operations centre monitoring service, Kaspersky is currently in the process of doing the necessary to obtain the license.
“We are confident about the integrity and security of our products and services thus our line of communications with the Cyber Security Agency (CSA) of Singapore remains proactive and open to ensure that we comply with the requirements related to this regulatory measure.” ®