Cybersecurity audits and risk assessments of critical information infrastructure
15.—(1)  The owner of a critical information infrastructure must —
(a)at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice issued under section 7, cause an audit of the compliance of the critical information infrastructure with this Act and the applicable codes of practice and standards of performance, to be carried out by an auditor approved or appointed by the Commissioner; and
(b)at least once a year, starting from the date of the notice issued under section 7, conduct a cybersecurity risk assessment of the critical information infrastructure in the prescribed form and manner.
(2)  The owner of the critical information infrastructure must, not later than 30 days after the completion of the audit mentioned in subsection (1)(a) or the cybersecurity risk assessment mentioned in subsection (1)(b), furnish a copy of the report of the audit or assessment to the Commissioner.
(3)  Where it appears to the Commissioner from the report of an audit furnished under subsection (2), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the owner of the critical information infrastructure to cause the auditor to carry out that aspect of the audit again.
(4)  Where it appears to the Commissioner that —
(a)the owner of a critical information infrastructure has not complied with a provision of this Act, or an applicable code of practice or standard of performance; or
(b)any information provided by the owner of a critical information infrastructure under section 10 is false, misleading, inaccurate or incomplete,
the Commissioner may by order require an audit in respect of the critical information infrastructure to be carried out by an auditor appointed by the Commissioner, for the purpose of ascertaining the owner’s compliance with this Act or an applicable code of practice or standard of performance, or the accuracy or completeness of the information (as the case may be) and the cost of such audit must be borne by the owner.
(5)  Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (2), that the assessment was not carried out satisfactorily, the Commissioner may either —
(a)direct the owner of the critical information infrastructure to carry out further steps to evaluate the level of cybersecurity of the critical information infrastructure; or
(b)appoint a cybersecurity service provider to conduct another cybersecurity risk assessment of the critical information infrastructure, and the cost of such assessment must be borne by the owner.
(6)  Where the owner of a critical information infrastructure has notified the Commissioner under section 10(5) of a material change made to the design, configuration, security or operation of the critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the owner to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1).
(7)  Any owner of a critical information infrastructure who —
(a)without reasonable excuse, fails to comply with subsection (1);
(b)fails to comply with the Commissioner’s direction under subsection (3), (5)(a) or (6); or
(c)obstructs or prevents an audit mentioned in subsection (4) or a cybersecurity risk assessment mentioned in subsection (5)(b) from being carried out,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(8)  Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.