Providers of managed security operations centre monitoring services and penetration testing services have to apply for the required license by 11 October 2022

In brief

Providers of managed security operations centre monitoring services and penetration testing services, collectively referred to as licensable cybersecurity services (LCS), should note that Part 5 of (and the Second Schedule to) the Cybersecurity Act 2018 will enter into force on 11 April 2022, implemented by the Cybersecurity (Cybersecurity Service Providers) Regulations 2022. To assist LCS providers in applying for the required licenses, the Cybersecurity Services Regulation Office has published an online collection of resources including application guides and a licensee information package.

Below is a summary of the background and aims of this licensing framework, as well as the criteria for the granting of an LCS licence, the timeframe and the procedure.

Background to licensing framework

One of the objectives of the Cybersecurity Act, which establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore, is to establish a “light-touch” licensing framework for the cybersecurity service providers. This licensing framework supports the efforts by the Security Agency of Singapore (CSA) to raise awareness and encourage adoption of cybersecurity solutions by businesses by addressing three main considerations:

• Ensuring LCS are “fit and proper”, capable of reducing safety and security risks due to LCS’ significant access into their clients’ computer systems and networks, and their deep understanding of their clients’ cybersecurity posture and vulnerabilities
• Introducing a licensing framework, which at the outset will be light-touch and will impose no quality requirements, akin to a registration regime, but with progressive raising of the quality of cybersecurity service providers (CSPs) through the future introduction of a code of ethics and certain baseline competency requirements
• Assisting potential clients, especially smaller buyers who do not have in-house cybersecurity expertise, identifying credible CSPs appropriate for their risks and budget and increasing the demand for such services

The CSA ran an industry consultation on the proposed license conditions and subsidiary legislation from 20 September 2021 to 18 October 2021. On 11 April 2022, the CSA’s overview of the feedback was released with responses received on specific areas of feedback, which we will note below in explaining specific points of the criteria for the granting of a LCS license and the licensing conditions.

Click here to access full alert.

* * * * *

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.