Understanding the Singapore Cybersecurity Act

What Is the Singapore Cybersecurity Act?

The Singapore Cybersecurity Act was enacted in 2018 as a key regulatory framework to enhance the cybersecurity of critical information infrastructure (CII) in Singapore. The Act empowers the Cyber Security Agency of Singapore (CSA) to oversee and enforce cybersecurity measures across various sectors, ensuring the protection of national interests and infrastructure from cyber threats.

Why Was the Singapore Cybersecurity Act Created?

As cyber threats evolve, robust cybersecurity becomes increasingly critical. The Cybersecurity Act addresses these growing risks and challenges. Its primary objectives include:

Protecting Critical Infrastructure: Safeguard the CII that is vital for the functioning of essential services.
Enhancing National Security: Strengthen the overall cybersecurity framework to protect against cyber attacks and incidents.
Promoting Cyber Hygiene: Ensure that organizations adhere to best practices in cybersecurity to prevent breaches and mitigate risks.

Who has to comply with the Singapore Cybersecurity Act?

The Singapore Cybersecurity Act applies to:

Operators of Critical Information Infrastructure (CII): Entities that manage or operate infrastructure deemed critical to national security, economy, or public safety. This includes sectors such as energy, water, banking, and transport. The CSA provides guidelines for determining which sectors and infrastructure qualify as critical information infrastructure.
Public Sector Organizations: Government agencies and public sector organizations that are responsible for CII.
Cybersecurity Service Providers: Organizations providing cybersecurity services or products to CII operators.

What do you comply with the Singapore Cybersecurity Act?

Compliance with the Cybersecurity Act involves:

Designation of CII: Identify and register critical information infrastructure within your organization.
Risk Management Measures: Implement and maintain robust cybersecurity measures to protect CII from threats and vulnerabilities. A risk management plan should include risk assessment, security controls, incident response procedures, and regular audits.
Incident Reporting: Report significant cybersecurity incidents to the CSA promptly, including breaches, attacks, or other security-related events.
Security Reviews and Audits: Conduct regular security reviews and audits to ensure the effectiveness of your cybersecurity measures and compliance with the Act.
Coordination with CSA: Cooperate with the CSA in investigations and assessments related to cybersecurity incidents.

How will the Singapore Cybersecurity Act affect businesses?

Here are the key penalties associated with non-compliance:

Non-compliance with a notice or direction from the Commissioner regarding critical information infrastructure
Fine up to SGD 100,000 and/or imprisonment up to 2 years, with an additional fine of SGD 5,000 per day for ongoing offenses.
Failure to notify changes in ownership of critical information infrastructure within 7 days
Fine up to SGD 100,000 and/or imprisonment up to 2 years.
Failure to report a prescribed cybersecurity incident to the Commissioner
Fine up to SGD 100,000 and/or imprisonment up to 2 years.
Failing to conduct required cybersecurity audits (every 2 years) and risk assessments (annually), or obstructing these processes
Fine up to SGD 100,000 and/or imprisonment up to 2 years, with an additional fine of SGD 5,000 per day for ongoing offenses.
Failure to submit the audit and assessment report to the Commissioner within 30 days
Fine up to SGD 25,000 and/or imprisonment up to 12 months, with an additional fine of SGD 2,500 per day for ongoing offenses.
Failure to comply with a direction to conduct cybersecurity readiness exercises
Fine up to SGD 100,000.

Action Plan for Complying with the Singapore Cybersecurity Act

Assess CII Status: Identify and register any critical information infrastructure within your organization.
Develop a Cybersecurity Strategy: Create a comprehensive cybersecurity strategy that includes risk management, security controls, and incident response plans.
Implement Security Measures: Apply necessary security measures and protocols to protect CII.
Train Employees: Provide training for staff on cybersecurity best practices and compliance requirements.
Report Incidents: Establish procedures for timely reporting of cybersecurity incidents to the CSA.
Conduct Audits: Regularly review and audit your cybersecurity measures to ensure ongoing compliance.

How can Craft help?

Craft’s supplier risk management solutions support organizations in meeting the requirements of the Singapore Cybersecurity Act by offering:

Identify risky suppliers with in-depth company profiles and easily scalable due diligence
Continuously monitor your supplier network for changes and potential violations.
Document your efforts for proof of compliance
Collaborate and share information across teams for faster risk mitigation.

Learn More

Related Regulations

By understanding and adhering to the Singapore Cybersecurity Act, procurement and supply chain professionals can ensure the security of critical infrastructure, manage risks effectively, and maintain compliance with national cybersecurity standards.

For an overview of regulations affecting the global supply chain, visit our compliance hub.

What Is the Singapore Cybersecurity Act?
Why Was the Singapore Cybersecurity Act Created?
Who has to comply with the Singapore Cybersecurity Act?
What do you comply with the Singapore Cybersecurity Act?
How will the Singapore Cybersecurity Act affect businesses?
Action Plan for Complying with the Singapore Cybersecurity Act
How can Craft help?
Related Regulations

Risk and Compliance Solutions

Get the visibility and insights you need to identify and mitigate risk and build a more resilient supply chain.
Learn More

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.