SINGAPORE, July 10 — Public consultation for a proposed Cybersecurity Bill, which requires firms of 11 essential sectors to report any cyber security incidents, share information with the authorities when requested, among other statutory duties, kicked off this morning.

The proposed new laws will override existing laws, such as Banking Secrecy Act, and establish a framework to manage cyber security in Singapore as well as allow the Cyber Security Agency (CSA) to carry out its functions.

Owners of critical information infrastructure (CII), defined as computer systems necessary for the continuous delivery of essential services, will have certain statutory duties, such as reporting cyber attacks involving the CIIs, as well as carrying out audits, risk assessments and participating in cyber security exercises.

While the CIIOs will not be directly penalised for cyber security breaches, the CSA and Ministry of Communications and Information said in its public consultation paper on the draft bill that they are liable to be charged with criminal offences in cases where they fail to perform their duties or fail to comply with Commissioner’s directions without reasonable excuse.

While the existing Computer Misuse Act provides for combating cyber threats, this proposed bill will be more holistic, said CSA chief executive officer David Koh.

"Compared to existing legislation, there are three key differences. The scope is expanded to beyond CIIs, for investigation of cybersecurity threats and incidents; the CIIs are officially designated and duties of CII owners are spelt out clearly. The bill also aims to raise our overall cybersecurity posture, by licensing certain cybersecurity service providers,” he said.

A framework will also be established for the sharing of cyber security information with CSA officers, which CSA called "key to cyber security”.

This will be for the purpose of preventing, detecting or investigating any cyber security threat or incident, and will, when necessary, take precedence over any existing secrecy laws that prevent information sharing.

If necessary, any relevant entity that falls outside of the 11 critical sectors may also be compelled to share such information, according to CSA.

The bill also proposed licensing cyber security professionals, starting with those providing penetration testing and managed security operations centre (SOC) services. This is due to the need for more credible services, as cybersecurity risks become more mainstream, said CSA.

The public consultation for the draft bill will close on August 3. — TODAY