All providers of managed security operations centre monitoring services and penetration testing services to the Singapore market will need to apply for a cybersecurity service provider’s licence, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) or third-party cybersecurity service providers (“CSPs”) that provide these services in support of other CSPs. However, a company that provides licensable services solely for its related company(s) e.g. in-house service provider, does not require a licence. Related company has the same meaning given to it by section 6 of the Companies Act (Cap.50). Resellers, third-party vendors or overseas CSPs including the affiliates of a licensee who provide licensable cybersecurity services to the Singapore market would need to be licensed.
1. Who needs to apply for cybersecurity service provider licence?
Third-party vendors and resellers who are required to be licensed refer to those who are in the business of providing licensable cybersecurity services to consumers on behalf of another service provider (anywhere in the distribution chain) of the licensable cybersecurity services.
2. Could you give me examples of the third-party vendors and resellers of the licensable cybersecurity services that are regulated under the licensing framework?
Business entities are required to ensure that officer of the business entity is fit and proper when applying for a licence. Officer of a business entity refers to any director or partner, or other person listed in the business entity’s business profile e.g. ACRA BizFile, with the exception of shareholders (who are not directors or partners) and company secretary, or any other person who is responsible for the management of the business entity. Individuals who are applying for the licence should also be a fit and proper person to hold the licence. Failing which, the licence application may be rejected.
3. What do I need to ensure prior to applying for a licence?
Key Executive Officer refers to the person who is responsible for the proper administration and overall management of the business entity and supervision of its employees.
4. Who are the Key Executive Officer and Key Officer of a business entity applicant?
Key Officer refers to any director, partner, or other person listed in the business entity's business profile e.g. ACRA Bizfile, with the exception of shareholders (who are not directors or partners) and the company secretary.
The Licensing Officer shall consider all relevant facts and matters when determining if officers of the business entity applicant are fit and proper, including whether the key executive officer and key officers:
5. How does the Licensing Officer determine whether the officers of a business entity applicant are fit and proper?
a) Has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;
b) Has had a judgment entered against him/her in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on his/her part;
c) Is or was suffering from a mental disorder;
d) Is an undischarged bankrupt or has entered into a composition with his/her creditors; or
e) Has had a licence revoked by the Licensing Officer previously.
Business entity applicants with officer(s) failing to meet the fit and proper criteria may be refused a licence by the Licensing Officer. CSRO would like to highlight that every licence application is considered carefully on a case-by-case basis. For instance, officers of business entity licence applicant who have past criminal conviction will not automatically be deemed as being not fit and proper. Factors such as the seriousness and nature of the offence, the time that has elapsed since the conviction, and the responsibility of the officer will be taken into consideration by the Licensing Officer when assessing the licence application.
6. What happens if any of the officers fails to meet the fit and proper criteria?
The licensing framework aims to raise quality of the standards of the cybersecurity service providers over time. In view of the need to strike a good balance between industry development and cybersecurity needs, quality requirements will not be imposed on the licensees at the outset.
7. Will quality requirements be imposed on the licensees?
Instead, to complement the light touch licensing framework, CSRO will continue to work with the industry and professional association partners to establish voluntary accreditation regimes for cybersecurity professionals, to improve the standing of cybersecurity professionals.
CSRO will continue to monitor international and industry trends and engage the industry where necessary, to assess if any new types of cybersecurity services should be included in the licensing framework, such as those that are of higher risks to consumers.
8. Will CSRO consider licensing other cybersecurity services in the future?
CSRO intends to keep the licensing requirements simple to minimise operational costs on licensees. The requirements that licensees must comply with, as stipulated in the Cybersecurity Act, include:
9. What are the conditions of the licence?
a) Ensure that officers of business entity licensees are fit and proper persons as defined in section 26(8) of the Cybersecurity Act. For example, the individual has not been convicted of any offence involving fraud, dishonesty, or moral turpitude;
b) Keep for at least 3 years, records on the cybersecurity services that they have provided. This includes but not limited to details of the person engaging the licensee for the service, name of the person providing the service on behalf of the licensee, date on which the service is provided and details of the type of service provided, etc.;
c) Ensure that any information obtained in the course of providing their cybersecurity services is not disclosed or used by any other person other than for the purpose of providing the cybersecurity services; and
d) Ensure that their employees do not give any false representation to their clients regarding the employees’ level of training, skill, or qualification.
A licence is valid for a period of 2 years and the licence fees for individuals and business entities are $500 and $1000 respectively.
10. How long is the validity period of a licence and what are the fees payable for a licence?
Note: Due to the COVID-19 pandemic which has negatively impacted many businesses, a 50% wavier of the first cycle of licence fees will be granted for all applications lodged between 11 April 2022 and 11 April 2023.
Each licence application takes up to eight weeks to process. Applicant will receive an email notification on the outcome. If the application is approved, applicant will be required to make ePayment of licence fee via the GoBusiness Licensing.
11. By when and how will I receive the notification on the outcome of a licence application?
An application for renewal of a licence must be made no later than 2 months before expiry. Licensee who fails to submit their licence renewal application 2 months prior to the expiry may be required to apply for a new licence. This may result in a possible lapse in the licensure period where the business entity will be required to suspend its operations, until the outcome of its licence application is determined.
12. When should licence renewal application be submitted?
When a licence is due for renewal, the GoBusiness Licensing will send a Renewal Request Notification via email to the licensee. Upon timely submission of the licence renewal application, CSRO will proceed to review the application and applicant will be notified of the outcome via the system. If the application is approved, licensee will be required to make ePayment via the GoBusiness Licensing.
13. How is the licence renewal application process like?
If you are facing any technical difficulties or require any assistance on how to submit the application, you may contact GoBusiness Licensing Helpdesk at Tel: 63363373.
14. I have difficulties in submitting my application to GoBusiness Licensing, who can I contact for help?
Licensees who wish to terminate their licence before expiry should submit an application via the GoBusiness Licensing within 14 calendar days before ceasing the business of providing the licensable cybersecurity service.
15. How do I request to terminate a licence?
Licensee is required to update changes to their business details through the GoBusiness Licensing for the following material changes.
16. What are the changes to business details that a licensee is required to inform the Licensing Officer?
a) Changes to Key Executive Officers
Other than the above, any other changes that are not material change will automatically be approved by the system. These include changes to Name, Passport Number, Company Name, Company UEN, address, telephone number, email address, gender, designation, certifications of existing applicant and key officers.
b) Additional of Key Officers; and
c) Removal of Key Officers.
Supporting documentation will be required to be uploaded to GoBusiness Licensing during the update.
The licensee shall notify the Licensing Officer within 14 days after the appointment of any new key officer. Licensees are also required to notify the licensing officer of any change or inaccuracy in the information and particulars that the licensee and/or its key officers have submitted to the licensing officer in relation to its licence within 14 days. Licensees are reminded to ensure that any new key officer who is appointed must be fit and proper as defined in section 26(8) of the Act, failing which may result in punitive measures being imposed on the licensee, including revocation or suspension of licence.
17. When should I inform the Licensing Officer in the event of changes to key officer of my business?
It will not be an offence under the Cybersecurity Act to use unlicensed cybersecurity service providers. However, consumers should be wary of the safety and security risks that unlicensed service providers may pose, given the service providers’ extensive access into their clients’ computer systems when providing their services. Any misuse of such confidential information by the unlicensed service providers may result in severe damages to the consumers.
18. Will it be an offence to use unlicensed cybersecurity service providers?
Consumers are therefore encouraged to only procure licensable cybersecurity services from licensed cybersecurity service providers, and to inform CSRO of any service providers providing licensable cybersecurity services without a licence. Person who engages in the business of providing any licensable cybersecurity services to other person without a licence shall be guilty of an offence under Section 24 of the Cybersecurity Act and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both. Under Section 31 of the Cybersecurity Act, unlicensed cybersecurity service providers are also not entitled to bring any proceeding in any court to recover any commission, fee, gain, or reward for the service provided.
Driven by the increasing demand for cybersecurity solutions, the cybersecurity services industry has been evolving rapidly with new and innovative services, products, and business models. CSRO estimates about more than 200 licence applications to be submitted from the industry in relation to the two licensable cybersecurity services.
19. Does CSRO have a sense of the number of service providers who will have to be licensed?
The Cyber Security Agency of Singapore (CSA) is the agency set up to keep Singapore’s cyberspace safe and secure through the administering of the Cybersecurity Act. To administer the licensing framework, CSA has set up Cybersecurity Services Regulation Office (CSRO) which will act as the point of interface for all licensing related matters. These include enforcing the licensing framework; responding to the industry’s queries and feedback; as well as sharing of resources on licensable cybersecurity services with consumers such as the list of licensees and buyer’s guides.
20. What is the difference between CSA and CSRO?
For further assistance, please contact us at:
21. Who can I contact for further details?
Cybersecurity Services Regulation Office
100 Victoria Street
National Library Building #10-01