MCI's Response to PQs on Regulating Big Tech Companies to Ensure Adherence to Service Standards
Parliament Sitting on 6 November 2023
QUESTION FOR WRITTEN ANSWER
58. Miss Cheryl Chan Wei Ling: To ask the Minister for Communications and Information in view of recent outages of digital services affecting the banks and other essential platforms, what more can be done to ensure that the service providers (i) maintain minimal services during disruptions and (ii) be obligated to have business continuity plans to prevent the public and private sector from being impacted negatively.
89. Mr Saktiandi Supaat: To ask the Minister for Communications and Information in light of the data centre outage on 14 October 2023 affecting banks, telcos, and social media platforms (a) whether there are plans to regulate big technology companies to ensure adherence to service standards given that such outages affect many people and may have a real economic impact; and (b) what are the Ministry’s efforts for Singapore’s overall national security to minimise a concentration of risks from the usage of a few data centres by the public and private sectors.
107. Mr Liang Eng Hwa: To ask the Minister for Communications and Information (a) what are the lessons learnt from the recent disruptions to the various digital services; and (b) whether the Government will step up regulations to minimise risks of data centre outage and to ensure the resiliency of data centre services in Singapore.
The specifics of the recent outage affecting banking services have been, or will be, addressed in response to related parliamentary questions. I will focus on the broader digital infrastructure landscape and the Government’s approach to enhancing its security and resilience.
Where a data centre supports the delivery of essential services or other nationally important systems, we have regulation in place to ensure its security and resilience. For example, the Cyber Security Agency identifies and regulates Critical Information Infrastructure (CII), which can include computer systems situated in a data centre, that are necessary for the provision of essential services in sectors such as government, infocomm, and banking and finance. In addition, sector regulators impose requirements on the service providers in their sectors. Major telcos and banks, for instance, are regulated by the Infocomm Media Development Authority and Monetary Authority of Singapore respectively, for security and resilience. Exercises and audits are conducted to identify potential vulnerabilities and ensure the robustness of service providers’ security and resilience measures.
With more of our economic activity moving online and the growing interconnectedness of our systems, the Government recognises the need to further study our reliance on different components of digital infrastructure, the risks and impact of disruptions, and the need for more interventions. For example, data centres may not all host CII systems but collectively provide foundational services for the proper functioning of our economy. Today, most data centre operators already adopt a risk management approach in line with international standards, including the implementation of measures to ensure resilience. The Government is studying whether and how best to strengthen the security and resilience of data centres as a category of digital infrastructure with significant impact. This may include risk-calibrated regulation for data centres, taking reference from international standards and best practices.
However, we must recognise that regulation alone will not fully eliminate the possibility of outages and disruptions. Industries and enterprises must also play their part. To ensure consumer confidence, entities such as banks, telcos, and digital service providers should take steps to mitigate risks and ensure the continued delivery of important digital services even when outages or disruptions occur.