Singapore Begins Licensing to Cybersecurity Suppliers

Vendors offering two categories of cybersecurity services in Singapore are now required to apply for a license to continue providing such services. They have up to six months to do so or will have to stop providing such services if they do not want to face the possibility of jail time or fine.

In particular, companies providing penetration testing and managed Security Operations Center (SOC) monitoring services require a license to provide these services in Singapore. These include companies and individuals directly involved in such services, third-party vendors that support these companies, and resellers of the licensable cybersecurity services, according to Cyber ​​Security Authority (CSA).

The industry regulator said the licensing framework, effective April 11, is parked under the country’s Cybersecurity Act and aims to better protect consumer interests. It also served to improve the standards and status of service providers over time.

CSA added that priority was given to the two service categories to kick-start the licensing regime, as providers of these services had significant access to their customers’ IT systems and sensitive data.

If such access is abused, the customer’s activities could be disrupted, the regulator said.

It added that because these services were widely available and accepted, they also had the potential to have a significant impact on the broader cybersecurity landscape.

Existing vendors currently offering one or both service categories had until October 11, 2022 to apply for a license. Those who failed to do so in time would have to stop providing the service until a permit is obtained.

Service providers who have submitted their license application within six months may continue the license requirement until a decision has been made on the application.

Any person who provided licensed services without a license after October 11, 2022 would be fined up to SG$50,000 ($36,673) or jailed for up to two years, or both.

Individuals would have to pay SG$500 for their license, while companies would have to pay SG$1,000. Each license would be valid for two years.

CSA said there would be a one-time 50% fee waiver for applications submitted within the first year, before April 11, 2023.

A Cybersecurity Services Regulation Office was established to manage the licensing framework and facilitate communication between the industry and the wider public on all licensing related issues.

His responsibilities include enforcing and managing licensing processes and sharing resources about licensable cybersecurity services with the public, such as providing the list of licensees.

Commenting on other cybersecurity services that may be licensed in the future, CSA said it would “continue to monitor international and industry trends” and involve the industry as appropriate to assess whether to include new service categories.

The launch of the licensing framework comes after a four-week consultation period that ended last October.

CSA said it received 29 responses from both local and international market players, industry associations and members of the public.

One such feedback related to information required upon request to facilitate the regulator’s investigation into matters such as licensee infringements or regarding the licensee’s continued suitability. It was suggested that the language of the proposed permit conditions be tightened so that the requests were not too generic, and that there was greater clarity about the type of information that could be requested.

CSA said it had revised the language of the license terms to reduce uncertainty for licensees and that requests for such information would be limited to what was necessary for the purpose of the investigation.



Leave a Reply

Your email address will not be published.

Back to top