Menu Search through site content What are you looking for?
Menu

New Licensing Requirements for Companies Providing Cybersecurity Services

  • Legal Development 17 June 2022 17 June 2022
  • Cyber Risk

Following the commencement of the Cyber Security Agency of Singapore’s licensing framework for companies providing cybersecurity services (“CSPs”), CSPs in Singapore will now have to apply for a licence for the provision of such services by 11 October 2022.

A cybersecurity service provider who applies for a licence by 11 October 2022 may continue to provide its service until a decision on their licence application has been made.

It is an offence to provide a licensable cybersecurity service (“LCS”) without a licence after 11 October 2022, and any persons doing so shall be liable on conviction to a fine not exceeding S$50,000 and/or to imprisonment for a term not exceeding 2 years.

At a Glance

Who does this affect?

All providers of:

  1. Managed security operations centre monitoring service; and/or
  2. Penetration testing service

Companies providing both services must obtain separate licences for each service.

How to apply

Applicants may apply for a licence here.

CorpPass or SingPass credentials are required to access the system

Licence fees for each licence

Individuals: S$500

Business entities: S$1000

A 50% waiver will be granted on all applications lodged by 10 April 2023.

Application processing time

Up to 6 weeks from the receipt of the complete application including all supporting documents.

Applicants will be notified of the outcome of the application via email.

Licence validity period

2 years from date of licence issuance.
Criteria for grant of licence Applicant must be a “fit and proper” person and the grant of the licence must not be against the public interest or a threat to national security.
Continuing obligations under licence

Licensee must comply with following licence conditions:

  • Professional conduct
  • Record keeping
  • Assisting in investigations
  • Timely notification of changes
  • Continued fulfillment of fit and proper criteria
  • No unauthorized usage of the logo of the Cybersecurity Services Regulation Office of Singapore (“CSRO”)

 

Who does this affect?

The licensing requirement applies to all CSPs that provide either or both of the following LCSs to the Singapore market:

Managed security operations centre monitoring service A service for the monitoring of the level of cybersecurity of a computer or computer system of another person by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system.
Penetration testing service

A service for assessing, testing or evaluating the level of cybersecurity of a computer or computer system, by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system, and includes any of the following activities:

  1. determining the cybersecurity vulnerabilities of a computer or computer system, and demonstrating how such vulnerabilities may be exploited and taken advantage of;
  2. determining or testing the organisation’s ability to identify and respond to cybersecurity incidents through simulation of attempts to penetrate the cybersecurity defences of the computer or computer system;
  3. identifying and quantifying the cybersecurity vulnerabilities of a computer or computer system, indicating vulnerabilities and providing appropriate mitigation procedures required to eliminate vulnerabilities or to reduce vulnerabilities to an acceptable level of risk; or
  4. utilizing social engineering to assess the level of vulnerability of an organization to cybersecurity threats.

 Notes:

  • Such requirements apply regardless of whether the person is a company, an individual, a third-party CSP that provides LCSs in support of other CSPs, a reseller, or overseas CSP.
  • However, a company that provides licensable services solely for its related company(s) e.g. in-house service provider, does not require a licence.
  • CSPs who offer or intend to offer both LCSs are required to submit separate licence applications and obtain a licence for each LCS.

Applying for a licence

Applicants may apply for the licence here. CorpPass or SingPass credentials are required to access the system.

Timeframe

Each application takes up to 6 weeks to process. Applicants will receive an email notification on the outcome.

Licence validity period and application for renewal

The licence will remain valid for two years from the date of licence issuance.

Licensees must submit an application for renewal at least 2 months before the expiry of the licence.

Criteria for Grant of Licence

To be granted the licence, an applicant must, in the licensing officer’s opinion, be a fit and proper person to hold or to continue to hold the licence, and it must not be against the public interest or a threat to national security for it to be granted the licence.

Fit and proper person criteria

When deciding if an applicant is are a fit and proper person, the licensing officer may consider, amongst other things, if the applicant:

For individuals: For business entities:
  1. has been convicted in Singapore or elsewhere for any offence involving fraud, dishonesty or moral turpitude;
  2. has had a judgment entered against them in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on their part;
  3. is or has been suffering from a mental disorder1;
  4. is an undischarged bankrupt or has entered into a composition with their creditors; or
  5. has had a licence revoked by the licensing officer previously.

1If the mental health condition is properly managed and certified by a qualified physician or healthcare professional, the presence of a mental health condition will not affect a person’s eligibility to be licensed.

  1. has been convicted in Singapore or elsewhere for any offence involving fraud, dishonesty or moral turpitude;
  2. has had a judgment entered against it in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on its part;
  3. has any officers who are not fit and proper persons to be officers of a business entity holding the licence;
  4. is in liquidation or is the subject of a winding up order, or there is a receiver appointed in relation to it, or it has entered into a composition or scheme of arrangement with its creditors; or
  5. has had a licence revoked by the licensing officer previously.


Continuing obligations under the licence

After obtaining the licence, one’s obligations under the licence will be as follows:

Professional conduct – licensees shall (and shall take all reasonable steps to ensure that its officers, employees and/or contractors shall):

  • not make any false representation in the course of advertising or providing the LCS;
  • comply with all applicable laws in the course of providing the LCS;
  • exercise due care and skill, and act with honesty and integrity in the course of providing the LCS;
  • not act in a manner where there is a conflict between its interests and that of the person procuring or receiving the LCS; and
  • not collect, use, or disclose any information about (i) a computer or computer system of the person procuring or receiving the LCS, or (ii) their business, commercial, or official affairs, except for the purposes of providing the LCS to them, where appropriate written consent has been obtained from them, or where required or allowed to by any court or under law.

Record keeping – licensees must retain records of:

  • the name and address of the person engaging the licensee for the service;
  • the name and unique identifier of the person providing the service on behalf of the licensee;
    • For individuals, “unique identifier” refers to NRIC, work pass number, passport number, or foreign ID number.
    •  For business entities, “unique identifier” refers to UEN, or business entity registration number in the foreign country or territory that the business entity is incorporated or registered in.
  • the date on which the service is provided;
  • details of the type of service provided; and
  • any other particulars that may be prescribed.

Licensees are to retain such records for not less than 3 years after the relevant engagement.

An example of the level of detail expected of such records can be found here.

Assisting in investigations – licensees are to provide the CSA with information concerning:

  • any matter relating to or arising from the licensee’s application for the grant or renewal of the licence;
  • any breach or potential breach by the licensee of the Cybersecurity Act or any licence conditions; or
  • any matter relating to the licensee’s continued eligibility to be the holder of the licence.

Licensees are also to take all reasonable care to keep confidential any information relating to such investigations.

Timely notification of changes – licensees are to notify CSRO of the following (non-inclusive) changes or inaccuracies within 14 days of such change or knowing of such inaccuracy:

  • the appointment or removal of any officers of the business entity (via GoBusiness Licensing);
  • changes to or inaccuracies in the details of the licensee and/or its officers (via GoBusiness Licensing);
  • where the licensee and/or its officers have been declared bankrupt or have gone into compulsory or voluntary liquidation other than for the purpose of amalgamation or reconstruction (via email); or
  • criminal convictions or civil judgements entered against the licensee and/or its officers for offences or proceeding involving fraud, dishonesty, breach of fiduciary duty, or moral turpitude, or any offences under the Cybersecurity Act (via email).

Continuing to fulfill fit and proper criteria

No unauthorized usage of CSRO logo

Failure of a licensed CSP to comply with any of the aforementioned conditions may result in revocation or suspension of their licence, and/or a financial penalty of S$10,000 per contravention (not exceeding in the aggregate S$50,000).

How we can help

Clyde & Co is one of the world’s leading cyber teams in the legal sector. We have a global footprint; the team has worked for some of the biggest brands and names in the region and we are sought after to run cybersecurity matters.

Please reach out to any of the authors if you would like to know more on how we can assist you to obtain this new licence.

End

Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!