Singapore’s Cyber Security Agency (CSA) is to start licensing cyber security service providers in the city-state to safeguard consumer interests and improve service standards over time. Those providing penetration testing and SOC services will need to apply for a licence under a new licensing regime that is expected to safeguard consumer interests and improve service standards.
Announcing the new licensing framework today, the CSA said the move will address the “information asymmetry” between consumers and cyber security service providers, starting with those that offer penetration testing and managed security operations centre (SOC) services.
The CSA said these two services were prioritised because service providers delivering such services can have significant access into their clients’ computer systems and sensitive information. In the event that the access is abused, the client’s operations could be disrupted.
Also, it noted that the two types of services are already widely available and adopted in the market, so have the potential to cause significant impact on the overall cyber security landscape.
The licensing framework was developed following a month-long consultation process, during which 29 responses were received from industry players, industry associations, and members of the public.
For example, some respondents suggested penetration testing should be defined, given the potential confusion with vulnerability assessment.
The CSA noted that penetration testing has already been defined in the Second Schedule to the Cybersecurity Act and that vulnerability assessments usually involve scanning IT systems or networks to identify flaws that may be exploited and do not compromise cyber defences.
This serves as a “common distinction” between vulnerability assessment and penetration testing, for which the former is not a licensable cyber security service, said the CSA. However, those that provide red teaming services that include penetration testing should be licensed.
Existing cyber security service providers that already offer licensable cyber security services will be given six months to apply for a licence. Those that do not apply for a licence – which will be valid for two years – in time will have to stop providing licensable services until they get a licence.
Anyone in the business of providing licensable cyber security services without a licence after 11 October 2022 could be liable to a fine not exceeding S$50,000 or to imprisonment for a term not exceeding two years, or both.
To administer the new licensing framework, the CSA has set up a new Cybersecurity Services Regulation Office, which will manage licensing processes and share resources on licensable cyber security services with consumers, among other activities.
The CSA said it will continue to monitor international and industry trends and engage the industry where necessary, as so to assess whether any new types of cyber security service should be included in the licensing framework.
Step in the right direction
Teo Xiang Zheng, head of advisory at Ensign InfoSecurity, a Singapore-based cyber security firm, said the new licensing framework is a step in the right direction towards elevating the overall standards for penetration testing and managed SOC services in Singapore.
“These cyber security services are currently offered by a wide variety of providers in the market, with varying competency levels. The licensing framework ensures these services are carried out by qualified service providers proficient in these areas,” he added.
Teo noted that the licensing regime will also bring potential business benefits to cyber security service providers.
“For Ensign, the licence from CSA complements the other industry accreditations we have attained to provide additional assurance for clients and prospects. The licensing framework can establish us as a trustworthy service provider and make us more competitive in the sector,” he said.
Editor: IPR Daily-Rene