Following the commencement of the Cyber Security Agency of Singapore’s licensing framework for companies providing cybersecurity services (“CSPs”), CSPs in Singapore will now have to apply for a licence for the provision of such services by 11 October 2022.
A cybersecurity service provider who applies for a licence by 11 October 2022 may continue to provide its service until a decision on their licence application has been made.
It is an offence to provide a licensable cybersecurity service (“LCS”) without a licence after 11 October 2022, and any persons doing so shall be liable on conviction to a fine not exceeding S$50,000 and/or to imprisonment for a term not exceeding 2 years.
At a Glance
|Who does this affect?||
All providers of:
Companies providing both services must obtain separate licences for each service.
|How to apply||
Applicants may apply for a licence here.
CorpPass or SingPass credentials are required to access the system
|Licence fees for each licence||
Business entities: S$1000
A 50% waiver will be granted on all applications lodged by 10 April 2023.
|Application processing time||
Up to 6 weeks from the receipt of the complete application including all supporting documents.
Applicants will be notified of the outcome of the application via email.
Licence validity period
|2 years from date of licence issuance.|
|Criteria for grant of licence||Applicant must be a “fit and proper” person and the grant of the licence must not be against the public interest or a threat to national security.|
|Continuing obligations under licence||
Licensee must comply with following licence conditions:
Who does this affect?
The licensing requirement applies to all CSPs that provide either or both of the following LCSs to the Singapore market:
|Managed security operations centre monitoring service||A service for the monitoring of the level of cybersecurity of a computer or computer system of another person by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system.|
|Penetration testing service||
A service for assessing, testing or evaluating the level of cybersecurity of a computer or computer system, by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system, and includes any of the following activities:
Applying for a licence
Applicants may apply for the licence here. CorpPass or SingPass credentials are required to access the system.
Each application takes up to 6 weeks to process. Applicants will receive an email notification on the outcome.
Licence validity period and application for renewal
The licence will remain valid for two years from the date of licence issuance.
Licensees must submit an application for renewal at least 2 months before the expiry of the licence.
Criteria for Grant of Licence
To be granted the licence, an applicant must, in the licensing officer’s opinion, be a fit and proper person to hold or to continue to hold the licence, and it must not be against the public interest or a threat to national security for it to be granted the licence.
Fit and proper person criteria
When deciding if an applicant is are a fit and proper person, the licensing officer may consider, amongst other things, if the applicant:
|For individuals:||For business entities:|
1If the mental health condition is properly managed and certified by a qualified physician or healthcare professional, the presence of a mental health condition will not affect a person’s eligibility to be licensed.
Continuing obligations under the licence
After obtaining the licence, one’s obligations under the licence will be as follows:
Professional conduct – licensees shall (and shall take all reasonable steps to ensure that its officers, employees and/or contractors shall):
Record keeping – licensees must retain records of:
Licensees are to retain such records for not less than 3 years after the relevant engagement.
An example of the level of detail expected of such records can be found here.
Assisting in investigations – licensees are to provide the CSA with information concerning:
Licensees are also to take all reasonable care to keep confidential any information relating to such investigations.
Timely notification of changes – licensees are to notify CSRO of the following (non-inclusive) changes or inaccuracies within 14 days of such change or knowing of such inaccuracy:
Continuing to fulfill fit and proper criteria
No unauthorized usage of CSRO logo
Failure of a licensed CSP to comply with any of the aforementioned conditions may result in revocation or suspension of their licence, and/or a financial penalty of S$10,000 per contravention (not exceeding in the aggregate S$50,000).
How we can help
Clyde & Co is one of the world’s leading cyber teams in the legal sector. We have a global footprint; the team has worked for some of the biggest brands and names in the region and we are sought after to run cybersecurity matters.
Please reach out to any of the authors if you would like to know more on how we can assist you to obtain this new licence.