Part of a comprehensive analysis of the Cybersecurity Act 2018
All Parts in This Series
Investigation and Prevention of Cybersecurity Incidents under the Cybersecurity Act 2018
The Cybersecurity Act 2018 establishes a comprehensive legal framework empowering authorities to investigate and prevent cybersecurity threats and incidents in Singapore. This framework is critical to safeguarding national security, protecting critical information infrastructure, and maintaining public confidence in digital systems. The key provisions in this Part of the Act delineate the powers, responsibilities, and penalties associated with managing cybersecurity incidents, ensuring a robust and effective response to evolving cyber threats.
Section 19: Powers to Investigate and Prevent Cybersecurity Incidents
Section 19 grants the Commissioner of Cybersecurity the authority to investigate cybersecurity threats or incidents upon receiving relevant information. The purpose of these investigations is threefold:
"Where information regarding a cybersecurity threat or incident has been received by the Commissioner, the Commissioner may exercise... powers... to investigate the cybersecurity threat or incident, for the purpose of — (a) assessing the impact or potential impact...; (b) preventing any or further harm...; or (c) preventing a further cybersecurity incident..." — Section 19(1), Cybersecurity Act 2018
Verify Section 19 in source document →
This provision exists to enable early detection and assessment of cybersecurity incidents, allowing authorities to understand the scope and potential damage. By empowering the Commissioner to prevent further harm or incidents, the law aims to contain threats before they escalate, thereby protecting critical systems and data.
Section 19 also imposes obligations on individuals to cooperate with investigations. Failure to comply or wilful misstatements attract penalties:
"Any person who — (a) wilfully misstates or without reasonable excuse refuses to give any information...; or (b) without reasonable excuse, fails to comply with an order issued by a Magistrate... shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both." — Section 19(8), Cybersecurity Act 2018
This penalty provision ensures that investigations are not obstructed and that accurate information is provided, which is essential for effective incident management.
Section 20: Enhanced Powers for Serious Cybersecurity Incidents
Section 20 addresses the investigation and prevention of serious cybersecurity incidents that meet a defined severity threshold. The Commissioner is empowered to take more extensive measures, including entry into premises and implementation of remedial actions:
"...the Commissioner may exercise... powers... to investigate the cybersecurity threat or incident, for the purpose of — (a) assessing the impact or potential impact...; (b) eliminating the cybersecurity threat or otherwise preventing any or further harm...; or (c) preventing a further cybersecurity incident." — Section 20(1), Cybersecurity Act 2018
Verify Section 20 in source document →
The rationale behind this provision is to equip the Commissioner with stronger tools to address high-risk incidents that could have significant adverse effects on national security or critical infrastructure. The ability to enter premises and enforce remedial measures is vital for timely containment and mitigation.
Non-compliance with investigations under Section 20 attracts more severe penalties, reflecting the gravity of serious incidents:
"Any person who — (a) in relation to an investigation under this section, wilfully misstates or without reasonable excuse refuses to give any information...; (b) ... fails to comply with an order issued by a Magistrate...; (c) ... fails to comply with a direction or requirement...; or (d) ... fails to comply with a lawful demand... shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 2 years or to both." — Section 20(7), Cybersecurity Act 2018
This escalation in penalties underscores the importance of cooperation in serious cybersecurity investigations and deters obstruction or misinformation.
Section 21: Identification of Incident Response Officers
To ensure transparency and accountability during investigations, Section 21 requires incident response officers to identify themselves when exercising their powers:
"Every incident response officer, when exercising any of the powers under this Part, must declare the incident response officer’s office and must, on demand, produce... identification card..." — Section 21, Cybersecurity Act 2018
Verify Section 21 in source document →
This provision exists to protect the rights of individuals and organisations by confirming the legitimacy of officers conducting investigations, thereby preventing abuse of power and fostering trust in the enforcement process.
Section 22: Appointment of Cybersecurity Technical Experts
Recognising the technical complexity of cybersecurity incidents, Section 22 authorises the Commissioner to appoint cybersecurity technical experts to assist investigations:
"The Commissioner may in writing appoint... a cybersecurity technical expert... to assist any incident response officer in the course of an investigation under section 19 or 20." — Section 22(1), Cybersecurity Act 2018
Verify Section 22 in source document →
These experts may include full-time national servicemen enlisted under the Singapore Armed Forces Act 1972 or members of the Special Constabulary under the Police Force Act 2004:
"a full-time national serviceman enlisted in any force constituted under the Singapore Armed Forces Act 1972 or in the Special Constabulary constituted under section 66 of the Police Force Act 2004." — Section 22(1)(c), Cybersecurity Act 2018
Verify Section 22 in source document →
The appointment of technical experts ensures that investigations are conducted with the necessary expertise, enabling accurate assessment and effective response to complex cyber threats.
Section 23: Emergency Cybersecurity Measures and Ministerial Powers
Section 23 empowers the Minister to authorise or direct persons or organisations to take necessary measures to prevent, detect, or counter serious and imminent cybersecurity threats:
"The Minister may... authorise or direct any person or organisation... to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat..." — Section 23(1), Cybersecurity Act 2018
Verify Section 23 in source document →
This provision is designed to enable swift and decisive action in emergency situations where delays could result in significant harm. The measures may include exercising powers under the Criminal Procedure Code 2010, such as search and seizure:
"The measures and requirements mentioned in subsection (1) may include, without limitation — (a) the exercise by the specified person of the powers in sections 39(1)(a) and (b) and (2)(a) and (b) and 40(2)(a), (b) and (c) of the Criminal Procedure Code 2010;" — Section 23(2)(a), Cybersecurity Act 2018
Verify Section 23 in source document →
Failure to comply with Ministerial directions or to take required measures attracts severe penalties, reflecting the critical importance of compliance during emergencies:
"A specified person who, without reasonable excuse, fails to take any measure or comply with any requirement directed by the Minister... shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both." — Section 23(4), Cybersecurity Act 2018
Verify Section 23 in source document →
"Any person who, without reasonable excuse — (a) obstructs a specified person...; or (b) fails to comply with any direction given by a specified person... shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both." — Section 23(5), Cybersecurity Act 2018
Verify Section 23 in source document →
Additionally, confidentiality obligations are imposed to protect sensitive information obtained during emergency measures:
"Any person who contravenes subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both." — Section 23(9), Cybersecurity Act 2018
Verify Section 23 in source document →
This ensures that information disclosed or accessed during emergency responses is safeguarded, maintaining trust and security.
Definition of "Incident Response Officer"
Understanding who is authorised to exercise the powers under this Part is essential. Section 19(9) defines the term "incident response officer" as follows:
"In this section and sections 20, 21 and 22, 'incident response officer' means the Commissioner, the Deputy Commissioner or any Assistant Commissioner, cybersecurity officer or authorised officer exercising the powers under this section or section 20, as the case may be." — Section 19(9), Cybersecurity Act 2018
Verify Section 19 in source document →
This definition clarifies the scope of authority and ensures that only designated officials may conduct investigations and enforce measures, thereby maintaining proper governance and accountability.
Cross-References to Other Legislation
The Cybersecurity Act 2018 integrates with other legislative frameworks to enhance its effectiveness. Notably, Section 23(2)(a) references the Criminal Procedure Code 2010, enabling the exercise of powers such as search, seizure, and detention during emergency cybersecurity measures:
"The measures and requirements mentioned in subsection (1) may include, without limitation — (a) the exercise by the specified person of the powers in sections 39(1)(a) and (b) and (2)(a) and (b) and 40(2)(a), (b) and (c) of the Criminal Procedure Code 2010;" — Section 23(2)(a), Cybersecurity Act 2018
Verify Section 23 in source document →
Furthermore, Section 22(1)(c) allows the appointment of cybersecurity technical experts from the Singapore Armed Forces and the Special Constabulary, linking the Act to the Singapore Armed Forces Act 1972 and the Police Force Act 2004:
"a full-time national serviceman enlisted in any force constituted under the Singapore Armed Forces Act 1972 or in the Special Constabulary constituted under section 66 of the Police Force Act 2004." — Section 22(1)(c), Cybersecurity Act 2018
Verify Section 22 in source document →
These cross-references ensure that cybersecurity enforcement is supported by established legal powers and personnel, facilitating coordinated and effective responses.
Conclusion
The provisions under this Part of the Cybersecurity Act 2018 collectively establish a robust legal regime for investigating and preventing cybersecurity incidents in Singapore. By empowering the Commissioner and designated officers with investigative and enforcement powers, mandating identification and cooperation, enabling technical expertise, and authorising emergency measures, the Act addresses the multifaceted challenges posed by cyber threats.
The graduated penalties for non-compliance reflect the seriousness with which Singapore treats cybersecurity, ensuring that individuals and organisations are incentivised to cooperate fully. Cross-references to other legislation further strengthen the framework, enabling a comprehensive and coordinated approach to cybersecurity governance.
Sections Covered in This Analysis
- Section 19: Powers to investigate and prevent cybersecurity incidents
- Section 20: Powers to investigate and prevent serious cybersecurity incidents
- Section 21: Identification requirements for incident response officers
- Section 22: Appointment of cybersecurity technical experts
- Section 23: Emergency cybersecurity measures and Ministerial powers
- Definition of "incident response officer" under Section 19(9)
- Cross-references to the Criminal Procedure Code 2010, Singapore Armed Forces Act 1972, and Police Force Act 2004
Source Documents
For the authoritative text, consult SSO.