Cybersecurity service providers must apply for a license by October 11


The agency added that “there are many risks of services being provided by incompetent or substandard providers”. Licensing therefore aims to improve standards over time.

The licensing aims to address the information gap faced by customers, especially smaller ones, by helping them identify credible vendors, CSA said.

Telco StarHub, a cybersecurity services reseller who provided comments on the licensing framework, said that with “the growing importance of cybersecurity in today’s digital world, we understand the need for a calibrated and effective licensing regime”.

One of the services requiring a license is “penetration testing”, which verifies whether an organization can identify and respond to simulated cybersecurity attacks.

Another licensed service is to monitor the activities of computer systems to identify threats.

Organizations that offer licensed cybersecurity services free of charge, as well as entities that provide such services to a related company, do not need to be licensed.

The framework also does not cover offerings aimed at non-professional consumers, such as anti-virus software.

Providers, whether businesses or individuals, who offer a licensed service without a license after the deadline may be fined up to $50,000, jail time up to go up to two years or two.

But providers who apply for a license before October 11 can continue to offer their services until a decision on their application has been made.

Licensed service providers who fail to comply with license terms may have their license revoked or suspended and face fines of up to $10,000 for each violation, capped at $50,000 in total .

The CSA solicited public comment on the licensing framework from September to October last year. Some respondents suggested that licensing should only be required for vendors that offer services directly to customers, and exclude subcontractors or resellers.

And for suppliers who use related companies from the same group of companies here or abroad to offer services to the same customer, they have requested that only one group entity should obtain a license.

The CSA said it understood the concerns about the possible administrative burden. But he added that requiring only one entity to be licensed could undermine regulatory goals, especially since business partnerships, consortia or legal arrangements might not be transparent to customers.

“As long as these entities are committed to providing licensed cybersecurity services to the Singapore market, they must be licensed,” CSA said.

Another suggestion was to publish a list of approved suppliers.

CSA said it will be provided on a new Office of Cybersecurity Services Regulatory website when applicants receive their license.


Comments are closed.