Below feedback was submitted to CSA on 11 Oct 2021 in an individual capacity.
Q1
I refer to item 7 on page 6 of Annex A: Industry Consultation Document, reproduced below. If a company registered in Singapore or an individual residing and working in Singapore is only providing cybersecurity services (Managed SOC or Penetration Testing) to the overseas market and does not have any clients based in Singapore, does that company or individual need to be licensed? This has implications on freelancers based in Singapore that only offer their services over platforms such as fiverr and upwork.
7 All CSPs that provide either or both of these licensable cybersecurity services to the Singapore market, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) who are directly engaged for such services, or third-party CSPs that provide these services in support of other CSPs, will need to be licensed. Resellers, or overseas CSPs who provide licensable cybersecurity services to the Singapore market would likewise need to be licensed.
A1
Under Part 5 of the Cybersecurity Act, any person who is in the business of providing A) managed security operations centre (SOC) monitoring; and/or B) penetration testing cybersecurity services to the Singapore market as set out in the Second Schedule of the Cybersecurity Act (hyperlinked), will need to be licensed unless they are providing the services to its related company (e.g. a subsidiary providing the services to its holding/parent company). Persons providing licensable services solely to overseas market will not need to be licensed.
Q1.1
Part 5 Section 24 of the Cybersecurity Act
24.—(1) Except under and in accordance with a cybersecurity service provider’s licence granted or renewed under section 26, no person may engage in the business of providing any licensable cybersecurity service* to other persons**
* I have looked at the definition of a "cybersecurity service" in Part 1 Section 2, it does not say the recipient of the service has to be an entity based in Singapore.
* Have also looked at the definition for "licensable cybersecurity services" in Second Schedule, it does not say the recipient of the service has to be an entity based in Singapore.
** There is no definition for "persons". It does not say persons has to be an entity based in Singapore.
*** There is no further writing anywhere else that says "Part 5 Section 24 Subsection (1) does not apply to the provision of a cybersecurity service to an entity based overseas"
Based on my understanding above, providing licensable cybersecurity services whether locally or overseas is treated the same in the Act. Would be interested to find out how you derive that Part 5 only applies to service rendered to the Singapore market.
A1.1
The licensing framework was gazetted under Part 5 of the Cybersecurity Act which sought to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Hence it applies to cybersecurity service providers ("CSPs") providing licensable cybersecurity services to the Singapore market, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) who are directly engaged for such services, or third-party CSPs that provide these services in support of other CSPs. Resellers, or overseas CSPs who provide licensable cybersecurity services to the Singapore market would likewise need to be licensed.
My thoughts
I get that the intent of the policy is to govern cybersecurity services provided to local companies only, hence the limited scope. But doesn't that limited scope need to be translated into the law itself? How else would a member of public or someone from another country know whether he requires a license to operate? When I look at the Remote Gambling Act, it is very clear which section applies even to overseas providers and which are limited to Singapore only. It is strange that the Cybersecurity Act lacks clarity in this aspect.