Vendors offering two categories of cybersecurity services in Singapore now must apply for a licence to continue providing such services. They have up to six months to do so or will have to cease the provision of such services, if they do not wish to face the possibility of a jail term or fine.
Specifically, companies that provide penetration testing as well as managed security operations centre (SOC) monitoring services will need a licence to offer these services in Singapore. These include companies and individuals directly engaged in such services, third-party vendors that support these companies, and resellers of the licensable cybersecurity services, according to Cyber Security Authority (CSA) Singapore.
The industry regulator said the licensing framework, effective from April 11, was parked under the country’s Cybersecurity Act and aimed to better protect consumers’ interests. It also served to improve service providers’ standards and standing over time.
CSA added that the two service categories were prioritised to kickstart the licensing regime because providers of these services had significant access into their customers’ ICT systems and sensitive data.
Should such access be abused, the client’s operations could be disrupted, the regulator noted.
It added that because these services were widely available and adopted, they also had the potential to cause significant impact on the wider cybersecurity landscape.
Existing vendors currently engaged in the provision of either or both service categories had up to October 11, 2022, to apply for a licence. Those that failed to do so on time would have to stop providing the service until a licence was obtained.
ZDNet asked if individuals who were part of global communities that participated in bug bounties would be required to have a licence do so in Singapore. A CSA spokesperson said these white hat or ethical hackers aimed to uncover vulnerabilities in systems that were part of a bug bounty programme. These then were reported to the organisations for remediation.
Businesses that organised bug bounty programmes and the individual white hat hackers involved in such initiatives were excluded from the licensing framework, unless they also were in the business of providing penetration testing or managed SOC services, the spokesperson said.
“Bug bounty programmes complement the conventional methods of vulnerability assessment and penetration testing, enabling the participant undergoing the programme to benchmark its defences against the global and local community of researchers and white hats,” CSA told ZDNet.
Services providers that submitted their application for a licence within six months would be permitted to continue delivering the licensable service until a decision on the application was made.
Any person who provided the licensable services without a licence after October 11, 2022, would face a fine not exceeding SG$50,000 ($36,673) or a jail term of up to two years, or both.
Individuals would have to pay SG$500 for their licence, while businesses would have to fork out SG$1,000. Each licence would be valid for two years.
CSA said there would be a one-time 50% fee waiver for applications submitted within the first year, before April 11, 2023.
A Cybersecurity Services Regulation Office had been set up to administer the licensing framework and facilitate communications between the industry and wider public on all licensing-related issues.
Its responsibilities include enforcing and managing licensing processes and sharing resources on licensable cybersecurity services with the public, such as providing the list of licensees.
Commenting on other cybersecurity services that might be licensable in future, CSA said it would “continue to monitor international and industry trends” as well as engage the industry, where necessary, to assess if new service categories should be included.
The launch of the licensing framework comes after a four-week consultation period that ended last October.
CSA said it received 29 responses from both local and international market players as well as industry associations and members of the public.
Information required to assess if applicants “fit and proper”
One such feedback pertained to information required, upon request, to facilitate the regulator’s investigations into matters such as breaches by licensees or related to the licensee’s continued eligibility. There were suggestions that the language of the proposed licence conditions be tightened, so requests were not overly generic, and for there to be more clarity on the types of information that might be requested.
CSA said it had revised the language of the licence conditions to reduce uncertainty for licensees and that requests for such information would be limited to what was necessary for the purpose of the investigation.
Asked to provide examples of information that were asked of licence applicants, the CSA spokesperson told ZDNet these included the qualification and experience of the applicant.
In addition, information “relevant” for the licensing officer to consider if the applicant was “fit and proper” would be required, such as if the applicant had any conviction in Singapore or elsewhere of offence involving fraud, dishonesty, or moral turpitude, the spokesperson explained.
On whether applicants would be asked of their nationalities or business links to nations currently under relevant sanctions, the CSA spokesperson said applicants would be asked to provide their nationality as part of the licence application process. The same requirements, though, would apply to all service providers as long as they provided licensable services in penetration testing or managed SOC monitoring services to customers in Singapore.
“Additional information necessary for the licensing officer to make an assessment on whether the applicant is fit and proper may also be required,” the spokesperson said.
