New Licensing Requirements for Companies Providing Cybersecurity Services
Legal Development 17 June 2022 17 June 2022
Following the commencement of the Cyber Security Agency of Singapore’s licensing framework for companies providing cybersecurity services (“CSPs”), CSPs in Singapore will now have to apply for a licence for the provision of such services by 11 October 2022.
A cybersecurity service provider who applies for a licence by 11 October 2022 may continue to provide its service until a decision on their licence application has been made.
It is an offence to provide a licensable cybersecurity service (“LCS”) without a licence after 11 October 2022, and any persons doing so shall be liable on conviction to a fine not exceeding S$50,000 and/or to imprisonment for a term not exceeding 2 years.
At a glance
|Who does this affect?||
All providers of:
Companies providing both services must obtain separate licences for each service.
|How to apply||
Applicants may apply for a licence here.
CorpPass or SingPass credentials are required to access the system
|Licence fees for each licence||
Business entities: S$1000
A 50% waiver will be granted on all applications lodged by 10 April 2023.
|Application processing time||
Up to 6 weeks from the receipt of the complete application including all supporting documents.
Applicants will be notified of the outcome of the application via email.
Licence validity period
|2 years from date of licence issuance.|
|Criteria for grant of licence||Applicant must be a “fit and proper” person and the grant of the licence must not be against the public interest or a threat to national security.|
|Continuing obligations under licence||
Licensee must comply with following licence conditions:
Who does this affect?
The licensing requirement applies to all CSPs that provide either or both of the following LCSs to the Singapore market:
|Managed security operations centre monitoring service||A service for the monitoring of the level of cybersecurity of a computer or computer system of another person by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system.|
|Penetration testing service||
A service for assessing, testing or evaluating the level of cybersecurity of a computer or computer system, by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system, and includes any of the following activities:
- Such requirements apply regardless of whether the person is a company, an individual, a third-party CSP that provides LCSs in support of other CSPs, a reseller, or overseas CSP.
- However, a company that provides licensable services solely for its related company(s) e.g. in-house service provider, does not require a licence.
- CSPs who offer or intend to offer both LCSs are required to submit separate licence applications and obtain a licence for each LCS.
Applying for a licence
Applicants may apply for the licence here. CorpPass or SingPass credentials are required to access the system.
Each application takes up to 6 weeks to process. Applicants will receive an email notification on the outcome.
Licence validity period and application for renewal
The licence will remain valid for two years from the date of licence issuance.
Licensees must submit an application for renewal at least 2 months before the expiry of the licence.
Criteria for Grant of Licence
To be granted the licence, an applicant must, in the licensing officer’s opinion, be a fit and proper person to hold or to continue to hold the licence, and it must not be against the public interest or a threat to national security for it to be granted the licence.
Fit and proper person criteria
When deciding if an applicant is are a fit and proper person, the licensing officer may consider, amongst other things, if the applicant:
|For individuals:||For business entities:|
1If the mental health condition is properly managed and certified by a qualified physician or healthcare professional, the presence of a mental health condition will not affect a person’s eligibility to be licensed.
Continuing obligations under the licence
After obtaining the licence, one’s obligations under the licence will be as follows:
Professional conduct – licensees shall (and shall take all reasonable steps to ensure that its officers, employees and/or contractors shall):
- not make any false representation in the course of advertising or providing the LCS;
- comply with all applicable laws in the course of providing the LCS;
- exercise due care and skill, and act with honesty and integrity in the course of providing the LCS;
- not act in a manner where there is a conflict between its interests and that of the person procuring or receiving the LCS; and
- not collect, use, or disclose any information about (i) a computer or computer system of the person procuring or receiving the LCS, or (ii) their business, commercial, or official affairs, except for the purposes of providing the LCS to them, where appropriate written consent has been obtained from them, or where required or allowed to by any court or under law.
Record keeping – licensees must retain records of:
- the name and address of the person engaging the licensee for the service;
- the name and unique identifier of the person providing the service on behalf of the licensee;
- For individuals, “unique identifier” refers to NRIC, work pass number, passport number, or foreign ID number.
- For business entities, “unique identifier” refers to UEN, or business entity registration number in the foreign country or territory that the business entity is incorporated or registered in.
- the date on which the service is provided;
- details of the type of service provided; and
- any other particulars that may be prescribed.
Licensees are to retain such records for not less than 3 years after the relevant engagement.
An example of the level of detail expected of such records can be found here.
Assisting in investigations – licensees are to provide the CSA with information concerning:
- any matter relating to or arising from the licensee’s application for the grant or renewal of the licence;
- any breach or potential breach by the licensee of the Cybersecurity Act or any licence conditions; or
- any matter relating to the licensee’s continued eligibility to be the holder of the licence.
Licensees are also to take all reasonable care to keep confidential any information relating to such investigations.
Timely notification of changes – licensees are to notify CSRO of the following (non-inclusive) changes or inaccuracies within 14 days of such change or knowing of such inaccuracy:
- the appointment or removal of any officers of the business entity (via GoBusiness Licensing);
- changes to or inaccuracies in the details of the licensee and/or its officers (via GoBusiness Licensing);
- where the licensee and/or its officers have been declared bankrupt or have gone into compulsory or voluntary liquidation other than for the purpose of amalgamation or reconstruction (via email); or
- criminal convictions or civil judgements entered against the licensee and/or its officers for offences or proceeding involving fraud, dishonesty, breach of fiduciary duty, or moral turpitude, or any offences under the Cybersecurity Act (via email).
Continuing to fulfill fit and proper criteria
No unauthorized usage of CSRO logo
Failure of a licensed CSP to comply with any of the aforementioned conditions may result in revocation or suspension of their licence, and/or a financial penalty of S$10,000 per contravention (not exceeding in the aggregate S$50,000).
How we can help
Clyde & Co is one of the world’s leading cyber teams in the legal sector. We have a global footprint; the team has worked for some of the biggest brands and names in the region and we are sought after to run cybersecurity matters.
Please reach out to any of the authors if you would like to know more on how we can assist you to obtain this new licence.