Cyber-security service providers must apply for a licence by Oct 11
The agency added that the “risks of services being carried out by incompetent or substandard providers are multifold”. Licensing, thus, seeks to improve standards over time.
Licensing aims to address an information gap faced by customers, especially smaller ones, by helping them to identify credible providers, said CSA.
Telco StarHub, one reseller of cyber-security services that provided feedback on the licensing framework, said that with the “growing importance of cyber security in today’s digital world, we understand the need for a calibrated and effective licensing regime”.
One of the services that require licensing is “penetration testing”, which checks if an organisation can identify and respond to simulated cyber-security attacks.
Another licensable service is for monitoring activities in computer systems to identify threats.
Organisations that offer licensable cyber-security services for free, as well as entities that provide such services to a related company, do not need to be licensed.
The framework also does not cover offerings for non-business consumers, such as anti-virus software.
Providers, either companies or individuals, who offer a licensable service without a licence after the deadline can be fined up to $50,000, jailed for up to two years or both.
But providers who apply for a licence by Oct 11 can continue to offer their services until a decision on their application has been made.
Licensed service providers that fail to meet licensing conditions can have their licence revoked or suspended, and face a fine of up to $10,000 for each infringement, capped at $50,000 in total.
CSA sought public feedback on the licensing framework from September to October last year. Some respondents suggested that licensing be required only for providers that offer services to clients directly, and exclude sub-contractors or resellers.
And for providers that tap related businesses from the same corporate group here or overseas to offer services to the same customer, they asked that just one entity in the group needs to be licensed.
CSA said it understood the concerns over the possible administrative burden. But it added that requiring only one entity to be licensed might…