PART 3 | CRITICAL INFORMATION INFRASTRUCTURE |
| Designation of critical information infrastructure |
7.—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —| (a) | the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and | | (b) | the computer or computer system is located wholly or partly in Singapore. |
(2) A notice issued under subsection (1) must —| (a) | identify the computer or computer system that is being designated as a critical information infrastructure; | | (b) | identify the owner of the computer or computer system so designated as a critical information infrastructure; | | (c) | inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation; | | (d) | provide the name and contact particulars of the officer assigned by the Commissioner to supervise the critical information infrastructure; | | (e) | inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and | | (f) | inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure. |
|
| (3) Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period. |
(4) The person who receives a notice under subsection (1) may request the Commissioner to proceed under subsection (5) upon showing proof that —| (a) | the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and | | (b) | another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system. |
|
| (5) If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1), and address and send that amended notice to the person mentioned in subsection (4)(b). |
| (6) During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a critical information infrastructure is a reference to the person mentioned in subsection (4)(b). |
(7) Where —| (a) | a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and | | (b) | the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision, |
| the owner of the critical information infrastructure must notify the Commissioner of this without delay. |
|
| (8) Where a critical information infrastructure is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the critical information infrastructure is treated as the owner of the critical information infrastructure for the purposes of this Act. |
| (9) A notice issued under this section need not be published in the Gazette. |
|
| Power to obtain information to ascertain if computer, etc., fulfils criteria of critical information infrastructure |
8.—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria of a critical information infrastructure.| (2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be exercising control over the computer or computer system, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria of a critical information infrastructure. |
(3) Without limiting subsection (2), the Commissioner may in the notice require the person who appears to be exercising control over the computer or computer system to provide —| (a) | information relating to —| (i) | the function that the computer or computer system is employed to serve; and | | (ii) | the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system; |
| | (b) | information relating to the design of the computer or computer system; and | | (c) | any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria of a critical information infrastructure. |
|
| (4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
| (5) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information. |
|
| Withdrawal of designation of critical information infrastructure |
| 9. The Commissioner may, by written notice, withdraw the designation of any critical information infrastructure at any time if the Commissioner is of the opinion that the computer or computer system no longer fulfils the criteria of a critical information infrastructure. |
| Furnishing of information relating to critical information infrastructure |
10.—(1) The Commissioner may by notice given in the prescribed form and manner, require the owner of a critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:| (a) | information on the design, configuration and security of the critical information infrastructure; | | (b) | information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure; | | (c) | information relating to the operation of the critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure; | | (d) | any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the critical information infrastructure. |
| (2) Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
| (3) The owner of a critical information infrastructure to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information. |
| (4) The owner of a critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1). |
| (5) If a material change is made by or on behalf of the owner of a critical information infrastructure to the design, configuration, security or operation of the critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (1), the owner of the critical information infrastructure must notify the Commissioner of the change not later than 30 days after the change is made. |
| (6) For the purposes of subsection (5), a change is a material change if the change affects or may affect the cybersecurity of the critical information infrastructure or the ability of the owner of the critical information infrastructure to respond to a cybersecurity threat or incident affecting the critical information infrastructure. |
| (7) Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both. |
|
| Codes of practice and standards of performance |
11.—(1) The Commissioner may, from time to time —| (a) | issue or approve one or more codes of practice or standards of performance for the regulation of the owners of critical information infrastructure with respect to measures to be taken by them to ensure the cybersecurity of the critical information infrastructure; or | | (b) | amend or revoke any code of practice or standard of performance issued or approved under paragraph (a). |
| (2) If any provision in any code of practice or standard of performance is inconsistent with this Act, the provision, to the extent of the inconsistency, does not have effect. |
(3) Where a code of practice or standard of performance is issued, approved, amended or revoked by the Commissioner under subsection (1), the Commissioner must —| (a) | publish a notice of the issue, approval, amendment or revocation (as the case may be) in such manner as will secure adequate publicity for such issue, approval, amendment or revocation; | | (b) | specify in the notice the date of the issue, approval, amendment or revocation (as the case may be); and | | (c) | ensure that, so long as the code of practice or standard of performance remains in force, copies of that code or standard, and of all amendments to that code or standard, are available free of charge to the owner of a critical information infrastructure to which that code or standard applies. |
|
(4) None of the following has any effect until the notice relating to it is published in accordance with subsection (3):| (a) | a code of practice or standard of performance; | | (b) | an amendment to a code of practice or standard of performance; | | (c) | a revocation of a code of practice or standard of performance. |
|
| (5) Any code of practice or standard of performance has no legislative effect. |
| (6) Subject to subsections (4) and (7), every owner of a critical information infrastructure must comply with the codes of practice and standards of performance that apply to the critical information infrastructure. |
| (7) The Commissioner may, either generally or for such time as the Commissioner may specify, waive the application to the owner of a critical information infrastructure of any code of practice or standard of performance, or any part of it. |
|
| Power of Commissioner to issue written directions |
12.—(1) The Commissioner may, if the Commissioner thinks —| (a) | it is necessary or expedient for ensuring the cybersecurity of a critical information infrastructure or a class of critical information infrastructure; or | | (b) | it is necessary or expedient for the effective administration of this Act, |
| issue a written direction, either of a general or specific nature, to the owner of a critical information infrastructure or a class of such owners. |
(2) Without limiting subsection (1), a direction under that subsection may relate to —| (a) | the action to be taken by the owner or owners in relation to a cybersecurity threat; | | (b) | compliance with any code of practice or standard of performance applicable to the owner; | | (c) | the appointment of an auditor approved by the Commissioner to audit the owner or owners on their compliance with this Act or any code of practice or standard of performance applicable to the owner or owners; or | | (d) | any other matters that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the critical information infrastructure. |
|
| (3) A direction under subsection (1) may be revoked at any time by the Commissioner. |
(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers that it is not practicable or desirable to do so, give notice to the person or persons whom the Commissioner proposes to issue the direction —| (a) | stating that the Commissioner proposes to issue the direction and setting out its effect; and | | (b) | specifying the time within which representations or objections to the proposed direction may be made. |
|
| (5) The Commissioner must consider any representations or objections which are duly made before giving any direction. |
| (6) Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
|
| Change in ownership of critical information infrastructure |
13.—(1) Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a critical information infrastructure, the relevant person must inform the Commissioner of the change in ownership not later than 7 days after the date of that change in ownership.| (2) Any person who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both. |
(3) In subsection (1), the relevant person is —| (a) | in the case of a transfer of the whole of the legal ownership of the critical information infrastructure to another person — the person who was the owner of the critical information infrastructure before the change in ownership; or | | (b) | in any other case, an owner of the critical information infrastructure. |
|
|
| Duty to report cybersecurity incident in respect of critical information infrastructure, etc. |
14.—(1) The owner of a critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:| (a) | a prescribed cybersecurity incident in respect of the critical information infrastructure; | | (b) | a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure; | | (c) | any other type of cybersecurity incident in respect of the critical information infrastructure that the Commissioner has specified by written direction to the owner. |
| (2) The owner of a critical information infrastructure must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the critical information infrastructure, as set out in any applicable code of practice. |
| (3) Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both. |
|
| Cybersecurity audits and risk assessments of critical information infrastructure |
15.—(1) The owner of a critical information infrastructure must —| (a) | at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice issued under section 7, cause an audit of the compliance of the critical information infrastructure with this Act and the applicable codes of practice and standards of performance, to be carried out by an auditor approved or appointed by the Commissioner; and | | (b) | at least once a year, starting from the date of the notice issued under section 7, conduct a cybersecurity risk assessment of the critical information infrastructure in the prescribed form and manner. |
| (2) The owner of the critical information infrastructure must, not later than 30 days after the completion of the audit mentioned in subsection (1)(a) or the cybersecurity risk assessment mentioned in subsection (1)(b), furnish a copy of the report of the audit or assessment to the Commissioner. |
| (3) Where it appears to the Commissioner from the report of an audit furnished under subsection (2), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the owner of the critical information infrastructure to cause the auditor to carry out that aspect of the audit again. |
(4) Where it appears to the Commissioner that —| (a) | the owner of a critical information infrastructure has not complied with a provision of this Act, or an applicable code of practice or standard of performance; or | | (b) | any information provided by the owner of a critical information infrastructure under section 10 is false, misleading, inaccurate or incomplete, |
| the Commissioner may by order require an audit in respect of the critical information infrastructure to be carried out by an auditor appointed by the Commissioner, for the purpose of ascertaining the owner’s compliance with this Act or an applicable code of practice or standard of performance, or the accuracy or completeness of the information (as the case may be) and the cost of such audit must be borne by the owner. |
|
(5) Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (2), that the assessment was not carried out satisfactorily, the Commissioner may either —| (a) | direct the owner of the critical information infrastructure to carry out further steps to evaluate the level of cybersecurity of the critical information infrastructure; or | | (b) | appoint a cybersecurity service provider to conduct another cybersecurity risk assessment of the critical information infrastructure, and the cost of such assessment must be borne by the owner. |
|
| (6) Where the owner of a critical information infrastructure has notified the Commissioner under section 10(5) of a material change made to the design, configuration, security or operation of the critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the owner to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1). |
(7) Any owner of a critical information infrastructure who —| (a) | without reasonable excuse, fails to comply with subsection (1); | | (b) | fails to comply with the Commissioner’s direction under subsection (3), (5)(a) or (6); or | | (c) | obstructs or prevents an audit mentioned in subsection (4) or a cybersecurity risk assessment mentioned in subsection (5)(b) from being carried out, |
| shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
|
| (8) Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction. |
|
16.—(1) The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of owners of different critical information infrastructure in responding to significant cybersecurity incidents.| (2) An owner of a critical information infrastructure must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner. |
| (3) Any person who, without reasonable excuse, fails to comply with a direction under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000. |
|
17.—(1) The owner of a critical information infrastructure who is aggrieved by —| (a) | the decision of the Commissioner to issue the notice under section 7(1) designating the critical information infrastructure as such; | | (b) | a written direction of the Commissioner under section 12 or 16(2); or | | (c) | any provision in any code of practice or standard of performance issued or approved by the Commissioner that applies to the owner, or any amendment made to it, |
| may appeal to the Minister against the decision, direction, provision or amendment in the manner prescribed. |
| (2) An appeal under subsection (1) must be made within 30 days after the date of the notice or direction, or the issue, approval or amendment (as the case may be) of the code of practice or standard of performance (as the case may be) or such longer period as the Minister allows in a particular case (whether allowed before or after the end of the 30 days). |
(3) Any person who makes an appeal to the Minister under subsection (1) must, within the period specified in subsection (2) —| (a) | state as concisely as possible the circumstances under which the appeal arises, and the issues and grounds for the appeal; and | | (b) | submit to the Minister all relevant facts, evidence and arguments for the appeal. |
|
(4) Where an appeal has been made to the Minister under subsection (1), the Minister may require —| (a) | any party to the appeal; and | | (b) | any person who is not a party to the appeal but appears to the Minister to have information that is relevant to the matters appealed against, |
| to provide the Minister with all such information as the Minister may require, whether for the purpose of deciding if an Appeals Advisory Panel should be established or for determining the appeal, and any person so required must provide the information in such manner and within such period as may be specified by the Minister. |
|
| (5) The Minister may dismiss an appeal of an appellant who fails to comply with subsection (3) or (4). |
| (6) Unless otherwise provided by this Act or allowed by the Minister, where an appeal is lodged under this section, the decision, direction or other thing appealed against must be complied with until the determination of the appeal. |
(7) The Minister may determine an appeal under this section —| (a) | by confirming, varying or reversing a decision, notice, direction, provision of a code of practice or standard of performance, or an amendment to such code or standard; or | | (b) | by directing the Commissioner to reconsider the Commissioner’s decision, notice, direction, or provision of a code of practice or standard of performance, as the case may be. |
|
| (8) Before determining an appeal under subsection (7), the Minister may consult any Appeals Advisory Panel established for the purpose of advising the Minister in respect of the appeal but, in making such determination, is not bound by the advice of the Panel. |
| (9) The decision of the Minister in any appeal is final. |
| (10) The Minister may make regulations in respect of the manner in which an appeal may be made to, and the procedure to be adopted in the hearing of any appeal by, the Minister under this section. |
|
18.—(1) Where the Minister considers that an appeal lodged under section 17(1) involves issues the resolution or understanding of which require particular technical skills or specialised knowledge, the Minister may establish an Appeals Advisory Panel to provide advice to the Minister in respect of the appeal.(2) For the purposes of establishing an Appeals Advisory Panel, the Minister may do all or any of the following:| (a) | determine, and from time to time vary, the terms of reference of the Appeals Advisory Panel; | | (b) | appoint persons possessing particular technical skills or specialised knowledge to be the chairperson and other members of an Appeals Advisory Panel; | | (c) | at any time remove the chairperson or other member of an Appeals Advisory Panel from such office; | | (d) | determine any other matters which the Minister considers incidental to or expedient for the proper and efficient conduct of business by the Appeals Advisory Panel. |
|
(3) An Appeals Advisory Panel may regulate its proceedings in such manner as it considers appropriate, subject to the following:| (a) | the quorum for a meeting of the Appeals Advisory Panel is a majority of its members; | | (b) | a decision supported by a majority of the votes cast at a meeting of the Appeals Advisory Panel at which a quorum is present is the decision of that Panel. |
|
| (4) The remuneration and allowances (if any) of a member of an Appeals Advisory Panel is to be determined by the Minister. |
| (5) An Appeals Advisory Panel is independent in the performance of its functions. |
|
|
