Providers offering two categories of cybersecurity services in Singapore are now required to apply for a license to continue providing such services. They have up to six months to do so, or they will have to cease providing such services, if they do not wish to face the possibility of jail time or a fine.
Specifically, companies that provide penetration testing and managed security operations center (SOC) monitoring services will need a license to offer these services in Singapore. These include companies and individuals that are directly involved in such services, third-party providers that support these companies, and licensed resellers of cybersecurity services, according to the Cyber Security Authority (CSA).
The industry regulator said the licensing framework, effective April 11, was parked under the country’s Cybersecurity Law and aimed to better protect the interests of consumers. It also served to improve the standards and reputation of service providers over time.
CSA added that the two service categories were prioritized for licensing because providers of these services had significant access to their customers’ ICT systems and sensitive data.
If such access is abused, the client’s operations could be disrupted, the regulator said.
He added that because these services were widely available and adopted, they also had the potential to make a significant impact on the broader cybersecurity landscape.
Existing providers currently engaged in providing one or both categories of services had until October 11, 2022 to apply for a license. Those who did not do so in time would have to stop providing the service until they obtain a license.
Service providers who submit their license application within six months may continue to provide the licensed service until a decision is made on the application.
Any person found to have provided the licensed services without a license after October 11, 2022 will face a fine not to exceed S$50,000 (US$36,673) or imprisonment for up to two years, or both.
Individuals would have to pay S$500 for their license, while businesses would have to shell out S$1,000. Each license would be valid for two years.
CSA said there would be a 50% one-time fee waiver for applications filed within the first year, before April 11, 2023.
AN Cybersecurity Services Regulation Office it had been created to administer the licensing framework and to facilitate communication between the industry and the general public on all matters related to licensing.
His responsibilities include enforcing and managing licensing processes and sharing resources on licensed cybersecurity services with the public, such as providing the list of licensees.
Commenting on other cyber security services that could be licensed in the future, CSA said it will “continue to monitor industry and international trends” and engage the industry, where necessary, to assess whether new categories should be included. of services.
The release of the licensing framework comes after a four-week consultation period that ended last October.
CSA said it received 29 responses from local and international market players, as well as industry associations and members of the public.
One of those comments concerned information required, upon request, to facilitate regulator investigations into matters such as infringements by licensees or related to continued licensee eligibility. There were suggestions that the language in the proposed license conditions be made stricter, so that the requests are not too generic, and for there to be more clarity about the types of information that might be requested.
CSA said it had revised the language in the license conditions to reduce uncertainty for licensees and that requests for such information would be limited to what was necessary for the purpose of the investigation.