New Licensing Requirements for Cyber-Security Service Providers in Singapore

Oct 2021

The Cyber Security Agency of Singapore (CSA) has announced that Cyber-Security service providers will have to be licensed by early 2022 to continue operations. As these providers help to verify if businesses are vulnerable to hacking and monitor information technology systems for suspicious activities, licensing will give greater assurance of safety to customers and raise the quality of the providers.

This move comes after a mid-year report from CSA found that cyber threats in Singapore have risen. For example, the number of devices with internet access that are infected with malware, also known as “zombie” devices, which can be controlled by hackers to launch cyber-attacks, have tripled their numbers here amid the Covid-19 pandemic. An average of 6,600 malware-laced devices, also called botnet drones, were observed in Singapore in 2020 on a daily basis, a big jump from 2,300 in 2019.

For a start, CSA will license only two types of service providers, namely those providing penetration testing and managed security operations center monitoring services. These two services are prioritized because service providers performing such services can have significant access to their clients’ computer systems and sensitive information. In the event that the service is abused, the client’s operations could be disrupted. In addition, these services are already widely available and adopted in the market, and hence have the potential to cause a significant impact on the overall cybersecurity landscape.

All providers of the licensable cybersecurity services, regardless of whether they are companies or individuals directly engaged for such services or third-party vendors that support these companies, will need to be licensed. The license, new or renewed, would be valid for 2 years and cost SGD 1,000 (USD 741) for business entities and SGD 500 (USD 371) for individuals, such as freelancers or a sole proprietorship, to obtain. However, licenses can also be revoked or suspended, and errant companies or individuals can be fined up to SGD 10,000 (USD 7,416) for each failure to comply, up to a maximum of SGD 50,000 (USD 37,081).

(Sources: Cyber Security Agency of Singapore; The Straits Times)

About Us

Orissa International helps companies that want to develop a market entry strategy for Southeast Asia or implement their business expansion into the region. We have very strong domain knowledge of markets and industry sectors, and a business network of over 16,000 companies that includes distributors, resellers, system integrators and local manufacturers, that we have built through advising and guiding more than 5,000 companies with their market expansion into the ASEAN region over the last 25 years.

Orissa International is headquartered in Singapore, with additional offices in Malaysia, Indonesia, Thailand, Vietnam, and the Philippines.

Our Services