We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



Cybersecurity Bill Passes into Law in Singapore


On Monday, February 5, 2018, the proposed Cybersecurity Bill was passed into law in Singapore, implementing new licensing and regulatory requirements for owners of Critical Information Infrastructure (CII) and cybersecurity service providers. The Bill provides a framework for the regulation of CIIs and formalises the duties of CII owners in ensuring the cybersecurity of their respective CIIs. 

Who are Considered CII Owners?

CII refers to a computer or computer system (as designated by the Commissioner of Cybersecurity) that is necessary for the continuous delivery of essential services, the loss or compromise of which will have a debilitating effect on the availability of the essential service in Singapore.

CII owners are, in turn, defined as the legal owners of such CII. CII owners that provide the following 11 essential services in Singapore are subject to reporting and other obligations under the Bill:

  • Energy
  • Water
  • Banking & Finance
  • Aviation
  • Maritime
  • Info-Communications
  • Healthcare
  • Land Transport
  • Security & Emergency Services 
  • Government
  • Media

Cybersecurity Service Providers

The new law also incorporates a licensing framework for cybersecurity service providers and imposes on such service providers a duty to keep records.

The following are licensable cybersecurity services:

  • Managed security operations centres (SOC).
  • Penetration testing services.

The change in legislation may require immediate action from organisations to ensure the ability to comply with the new requirements. Compliance with the requirements following a breach could be costly – all affected organisations need to assess and understand the risk of these potential costs and to consider how best to manage and transfer them.

For more details, please download a copy of the risk alert.