SINGAPORE – Cyber-security service providers, verifying if businesses are vulnerable to hacking and monitoring information technology systems for suspicious activities, will soon have to be licensed.
This aims to give greater assurance of safety to customers and raise the quality of the providers, said the Cyber Security Agency of Singapore (CSA) on Monday (Sept 20).
The providers, which can be companies or individuals, will be licensed under a new framework expected to kick in by early next year. CSA has launched a public consultation on the licensing conditions and legislation.
Service providers will be given six months from the start of the framework to apply for a licence.
One of these services to be licensed is “penetration testing”, whichchecks if an organisation can identify and respond to simulated cyber-security attacks.
The other licensable service entails monitoring activities in computer systems to identify threats.
If these services are offered without a licence, providers can be fined up to $50,000, jailed up to two years, or both, if convicted.
Licences can also be revoked or suspended. CSA can fine an errant company or individual up to $10,000 for each failure to comply with a licensing condition. The total fine should not exceed $50,000 for various conditions that were not complied with on a particular occasion.
The requirements include needing key officers to be “fit and proper”. They should not have any criminal convictions or judgment against them in civil proceedings involving fraud, dishonesty, or morally depraved or wicked behaviour.
Companies or individuals must inform CSA at least 30 days before the appointment of a new key officer. They must also provide information to help it investigate any potential breaches of the licence.
They also need to keep basic records on the services provided for at least three years, including client names and details of the work done, and keep clients’ information confidential.
The framework does not cover offerings for non-business consumers, such as anti-virus software or services that monitor e-mails for malware.
According to a July report by CSA, cyber threats here have risen. For instance, “zombie” devices linked to the Internet, and infected with malware that allow hackers to control them and launch cyber attacks, have tripled their numbers here amid the Covid-19 pandemic.
An average of 6,600 malware-laced devices, also called botnet drones, were observed here last year on a daily basis, a big jump from 2,300 in 2019.
CSA estimates more than 150 licence applications to be submitted.
The licence, new or renewed, is expected to last for two years. The fee is $1,000 for business entities and $500 for individuals such as freelancers or sole proprietorships owned and controlled by individuals.
But due to the pandemic, 50 per cent of the fees will be waived for applications lodged in the first 12 months from the start of the licensing framework.
Details of CSA’s industry consultation on the framework can be found at www.csa.gov.sg and the public has until 5pm on Oct 18 to give feedback.