Following a series of cyber outages, including a major incident at a data center in October 2023 that disrupted healthcare and banking services, Singapore is introducing a new Digital Infrastructure Act (DIA) to bolster resilience and security of its critical digital infrastructure.
The October 14 outage at an Equinix data center affected banking services of DBS and Citibank in Singapore, and caused issues with Facebook, Instagram, WhatsApp, and Call of Duty in the Philippines, Hong Kong, and India. It was later attributed to an issue with its chilled water system. The four-hour outage is believed to have caused around 2.5 million failed transactions.
The DIA is expected to take a broader approach to the current Cyber Security Act and encompasses a wider range of risks faced by digital service providers including technical misconfigurations in cloud environments and physical disruptions like fires, water leaks, and cooling system failures.
A post from Singapore’s Ministry of Communications and Information stated: “Hence, it is necessary for the Government to go beyond the CS Act to enhance the resilience and security of other digital infrastructure and services that enterprises and citizens rely heavily on in our highly digitalized economy and society.”
The DIA is expected to mandate reporting obligations for significant outages and cyber incidents by entities like telecom providers, cloud service providers, and data center operators. This will give authorities a clearer picture of the digital risk landscape and enable them to take appropriate action.
The task force formulating the DIA is expected to consult with industry players to “balance trade-offs, such as those between risk mitigation and compliance costs, and between tailoring interventions to Singapore’s context and accounting for global operations of many providers.”
Noting that “regulation alone is insufficient”, the task force will also explore non-regulatory measures like best practice guidelines for digital infrastructure providers.
Following recent outages, the Singaporean government is considering amending the Cybersecurity bill to classify data centers and clouds as “critical infrastructure.” In Singapore, critical digital infrastructure encompasses cloud computing services both within and outside the country, provided they are deemed essential for continuous service delivery and whose compromise would severely impact the availability of essential services in Singapore.
If enacted, this amendment would subject digital infrastructure providers to higher regulatory standards, mandating compliance with audits. Non-compliance could result in penalties and fines.
These combined efforts demonstrate Singapore’s commitment to safeguarding its digital infrastructure, ensuring the continued smooth operation of its financial sector, businesses, and essential services.