How To Get A Cybersecurity License In Singapore

Cybersecurity providers and vendors in Singapore now need to adhere to a new licensing framework, per regulations that recently went into effect.

The Cybersecurity Authority (CSA) of Singapore launched the new licensing framework on April 11, 2022, under the country’s Cybersecurity Act. Businesses have six months to apply for the new cybersecurity license as Singapore transitions to the new framework.

Here, we look at the goals of the cybersecurity licensing framework and what steps businesses need to take to acquire a license.

What Is The Cybersecurity License?

The cybersecurity license is a license proving that cybersecurity service providers in Singapore meet requisite standards and can operate legally. The licensing framework falls under Part 5 and the second schedule of the Cybersecurity Act.

According to the CSA, the goal of the new licensing framework is to offer consumers assurance of the quality of cybersecurity providers and reduce information asymmetry between consumers and providers. In addition to consumer protection, the licensing framework aims to encourage cybersecurity providers to increase their standards over time.

The licensing framework is regulated by the Cybersecurity Services Regulation Office (CSRO), under the auspices of the CSA. Besides managing the licensing process and enforcing requirements, the CSRO responds to queries about the license and provides supportive information and resources.

Who Needs To Get A License?

The cybersecurity licensing framework applies to two types of cybersecurity service providers. These are:

• Providers of penetration testing services; and
• Providers of managed security operations center (SOC) monitoring services, including third-party vendors that support such service providers and resellers of licensed cybersecurity services.

The CSA states two main reasons why the licensing framework applies to these types of companies. Firstly, such services often have significant access to the computer systems and sensitive information of their clients. Secondly, these services are already widely used, making them influential in the market.

These two categories of cybersecurity providers may be individuals, such as freelancers and sole proprietors, or businesses, including third-party providers and subcontractors.

When To Apply For The License And What Is Its Validity Period?

Companies and individuals offering these services must apply for a license within six months of the framework’s introduction on April 11, 2022, that is, by October 11, 2022. If a service provider has applied for a license by October 11, 2022, but has not yet acquired the license, they can continue providing services until a decision has been made.

Those who have not applied for a license by the deadline must cease offering services. If they continue to offer services without having applied for a license by October 11, 2022, service providers will face a fine of up to S$50,000 (US$36,000) and up to two years in jail.

The license is valid for two years from when it is granted; the application processing time takes up to six weeks. Service providers seeking renewal of a license must apply within one month of its expiration.

What Are The Conditions To Get A License?

Under the Cybersecurity Act, regulators may refuse to grant a license if the individual or business is “not fit and proper” to hold a license, if it is not in the public interest to grant the license, or if granting the license could be a threat to national security. Additionally, a license may be refused or revoked if the service provider is deemed to have abused their privileges, such as access to clients’ sensitive information.

Individuals may be refused a license if they:

• Have been convicted in Singapore or elsewhere of any offense involving fraud, dishonesty, or moral turpitude;

• Have had a judgment entered against them in civil proceedings involving a finding of fraud, dishonesty, or breach of fiduciary duty;

• Suffer or previously suffered from a mental disorder;

• Are an undischarged bankrupt or has entered into a composition with the creditors of the individual; or

• Have previously had a license revoked by the licensing officer.

Businesses may be refused a license if:

• The business entity has been convicted in Singapore or elsewhere of any offense involving fraud, dishonesty, or moral turpitude;

• The business entity has had a judgment entered against them in civil proceedings involving a finding of fraud, dishonesty, or breach of fiduciary duty;

• Any officer of the business entity is not a fit and proper person to be an officer of a business entity holding the license;

• The business entity is in liquidation or is the subject of a winding-up order, or there is a receiver appointed in relation to the business entity, or the business entity has entered into a composition or scheme of arrangement with the creditors of the business entity; or

• The business entity has previously had a license revoked by the licensing officer.

Additionally, the licensing officer may take into consideration any other factor they consider relevant. In practice, the licensing officer may proscribe additional requirements.

Further, license holders must notify the CSRO if there are changes relating to their suitability to hold a license, changes to the licensee or officers’ business particulars (such as their address or business name), or if they have appointed or removed an officer.

How Much Does A License Cost?

Singapore’s cybersecurity license has two tiers of costs: S$500 (US$360) for individuals and S$1,000 (US$720) for businesses.

Service providers that apply for a license within the first year of the framework (by April 11, 2023) receive a 50 percent reduction in licensing fees as a measure to support businesses from the economic effects of COVID-19. Accordingly, the cybersecurity license costs just S$250 (US$180) for individuals and S$500 (US360) for businesses until April 11, 2023.