14. In the principal Act, replace sections 17 and 18 with —“PART 3A PROVIDERS OF ESSENTIAL SERVICE RESPONSIBLE FOR CYBERSECURITY OF THIRD‑PARTY‑OWNED CRITICAL INFORMATION INFRASTRUCTURE |
Designation of provider of essential service responsible for cybersecurity of third‑party‑owned critical information infrastructure |
16A.—(1) The Commissioner may, by written notice to a provider of an essential service, designate the provider as a provider of an essential service responsible for the cybersecurity of third‑party‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a) | a computer or computer system (called a third‑party‑owned critical information infrastructure) (whether located in or outside Singapore) is necessary for the continuous delivery of the essential service provided by that provider, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and | (b) | the computer or computer system is not owned by the provider of the essential service. |
(2) A notice issued under subsection (1) must —(a) | identify the third‑party‑owned critical information infrastructure in relation to which the provider is designated as a designated provider responsible for third‑party‑owned critical information infrastructure; | (b) | identify the provider of the essential service so designated as a designated provider responsible for third‑party‑owned critical information infrastructure; | (c) | identify the person who appears to be the owner of the third‑party‑owned critical information infrastructure; | (d) | inform the designated provider responsible for third‑party‑owned critical information infrastructure regarding the provider’s duties and responsibilities under this Act that arise from the designation; | (e) | provide the name and contact particulars of the officer assigned by the Commissioner to supervise the designated provider responsible for third‑party‑owned critical information infrastructure in relation to the cybersecurity of the third‑party‑owned critical information infrastructure; | (f) | inform the designated provider responsible for third‑party‑owned critical information infrastructure that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and | (g) | inform the designated provider responsible for third‑party‑owned critical information infrastructure that the provider may appeal to the Minister against the designation, and provide information on the applicable procedure. |
|
(3) Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period. |
(4) A notice issued under this section need not be published in the Gazette. |
|
Power to obtain information to ascertain if criteria for designated provider responsible for cybersecurity of third‑party‑owned critical information infrastructure fulfilled |
16B.—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria in section 16A(1).(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be a provider of an essential service for which a computer or computer system necessary for the continuous delivery of the essential service is not owned by the person, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system that is within that person’s knowledge or which the person can reasonably obtain, as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria in section 16A(1). |
(3) Without limiting subsection (2), the Commissioner may in the notice require the person to provide —(a) | information relating to —(i) | the function that the computer or computer system is employed to serve; and | (ii) | the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system; |
| (b) | information relating to the design of the computer or computer system; and | (c) | any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria in section 16A(1). |
|
(4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
(5) Where a person fails to comply with a notice under subsection (2), and the computer or computer system in relation to which the notice was issued appears to be necessary for the delivery of an essential service provided by the person, the Commissioner may order the person to cease using, directly or indirectly, the computer or computer system in relation to which the notice was issued. |
(6) Any person who, without reasonable excuse, fails to comply with an order issued under subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
(7) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information. |
|
Withdrawal of designation of designated provider responsible for third‑party‑owned critical information infrastructure |
16C. The Commissioner may, by written notice, withdraw the designation of any designated provider responsible for third‑party‑owned critical information infrastructure at any time if the Commissioner is of the opinion that the criteria in section 16A(1) are no longer fulfilled. |
Extension of designation of designated provider responsible for third‑party‑owned critical information infrastructure |
16D.—(1) At any time before the expiry of the designation of a designated provider responsible for third‑party‑owned critical information infrastructure, the Commissioner may, by written notice, extend the designation of the designated provider responsible for third‑party‑owned critical information infrastructure, if the Commissioner is of the opinion that the criteria in section 16A(1) continue to be fulfilled.(2) Any extension of a designation under subsection (1) has effect for a period of 5 years starting from the expiry of the earlier designation, unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension. |
|
Furnishing of information relating to third‑party‑owned critical information infrastructure |
16E.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —(a) | upon the request of the designated provider responsible for third‑party‑owned critical information infrastructure pursuant to a notice issued by the Commissioner under subsection (4), furnish the provider the following within a reasonable period:(i) | information on the design, configuration and security of the third‑party‑owned critical information infrastructure; | (ii) | information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure; | (iii) | information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure; | (iv) | any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure; and |
| (b) | notify the designated provider responsible for third‑party‑owned critical information infrastructure when a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the provider pursuant to a request mentioned in paragraph (a), not later than 30 days after the change is made, so that the provider may notify the Commissioner in accordance with subsection (8). |
(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity. |
(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
(4) The Commissioner may by notice given in the prescribed form and manner, require the designated provider responsible for third‑party‑owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:(a) | information on the design, configuration and security of the third‑party‑owned critical information infrastructure; | (b) | information on the design, configuration and security of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure; | (c) | information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure; | (d) | any other information relating to the third‑party‑owned critical information infrastructure that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure. |
|
(5) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
(6) The designated provider responsible for third‑party‑owned critical information infrastructure to whom a notice is issued under subsection (4) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information. |
(7) The designated provider responsible for third‑party‑owned critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (6) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (4). |
(8) If a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (4), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the provider becomes aware of it. |
(9) For the purposes of subsections (1)(b) and (8), a change is a material change if the change affects or may affect the cybersecurity of the third‑party‑owned critical information infrastructure, or the ability of the owner of the third‑party‑owned critical information infrastructure or the designated provider responsible for third‑party‑owned critical information infrastructure, to respond to a cybersecurity threat or incident affecting the third‑party‑owned critical information infrastructure. |
(10) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both. |
|
Provider to ensure third‑party‑owned critical information infrastructure conforms with prescribed standards |
16F.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure, that the owner will ensure that any applicable prescribed technical or other standards relating to cybersecurity are maintained in respect of that third‑party‑owned critical information infrastructure.(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity. |
(3) Where it appears to the Commissioner that —(a) | the standards mentioned in subsection (1) are not maintained in respect of the third‑party‑owned critical information infrastructure despite the issuance of directions mentioned in section 16G(2)(c) and any steps taken by the designated provider responsible for third‑party‑owned critical information infrastructure; and | (b) | there is no reasonable excuse for such failure to maintain the standards, |
the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity. |
|
(4) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) or (3) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
|
Power of Commissioner to issue written directions |
16G.—(1) The Commissioner may, if the Commissioner thinks —(a) | it is necessary or expedient for ensuring the cybersecurity of a third‑party‑owned critical information infrastructure or a class of third‑party‑owned critical information infrastructure; or | (b) | it is necessary or expedient for the effective administration of this Act, |
issue a written direction, either of a general or specific nature, to a designated provider responsible for third‑party‑owned critical information infrastructure or a class of such providers. |
(2) Without limiting subsection (1), a direction under that subsection may relate to —(a) | the action to be taken by the provider or providers in relation to a cybersecurity threat; | (b) | compliance with any code of practice or standard of performance applicable to the provider; | (c) | steps to be taken by the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to ensure that any prescribed technical or other standards relating to cybersecurity in respect of the third‑party‑owned critical information infrastructure are maintained; | (d) | the appointment of an auditor approved by the Commissioner to audit the provider or providers on their compliance with this Act or any code of practice or standard of performance applicable to the provider or providers; or | (e) | any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the third‑party‑owned critical information infrastructure. |
|
(3) A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner. |
(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —(a) | stating that the Commissioner proposes to issue the direction and setting out its effect; and | (b) | specifying the time within which representations or objections to the proposed direction may be made. |
|
(5) The Commissioner must consider any representations or objections which are duly made before giving any direction. |
(6) Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
|
Change in ownership of third‑party‑owned critical information infrastructure |
16H.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner will notify the provider of any change in the beneficial or legal ownership (including any share in such ownership) of the third‑party‑owned critical information infrastructure, not later than 7 days after the date of that change in ownership.(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity. |
(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
(4) Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a third‑party‑owned critical information infrastructure, the designated provider responsible for third‑party‑owned critical information infrastructure must inform the Commissioner of the change in ownership not later than 7 days after the provider becomes aware of that change in ownership. |
(5) Where the criteria in section 16A(1) are no longer fulfilled, the designated provider responsible for third‑party‑owned critical information infrastructure must inform the Commissioner of the change in circumstances not later than 7 days after the date of the change in circumstances. |
(6) Any person who, without reasonable excuse, fails to comply with subsection (4) or (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both. |
|
Duty to report cybersecurity incident in respect of third‑party‑owned critical information infrastructure, etc. |
16I.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will notify the provider of the occurrence of any of the following within the prescribed period after becoming aware of such occurrence:(a) | a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure; | (b) | a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure; | (c) | any other type of cybersecurity incident in respect of the third‑party‑owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third‑party‑owned critical information infrastructure. |
(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity. |
(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
(4) The designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a) | a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure; | (b) | a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control or the provider’s control, that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure; | (c) | a prescribed cybersecurity incident in respect of any other computer or computer system under the provider’s control that does not fall within paragraph (b); | (d) | any other type of cybersecurity incident in respect of the third‑party‑owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third‑party‑owned critical information infrastructure. |
|
(5) The designated provider responsible for third‑party‑owned critical information infrastructure must establish such mechanisms and processes for the purposes of becoming aware of any cybersecurity threats and incidents in respect of the third‑party‑owned critical information infrastructure, as set out in any applicable code of practice. |
(6) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both. |
|
Cybersecurity audits and risk assessments of third‑party‑owned critical information infrastructure |
16J.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —(a) | at least once every 2 years (or at such higher frequency as the Commissioner may require in any particular case by written notice to the provider), starting from the date of the notice issued under section 16A(1), cause an audit of the adherence of the third‑party‑owned critical information infrastructure to any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the third‑party‑owned critical information infrastructure, to be carried out by an auditor approved by the Commissioner; | (b) | at least once a year, starting from the date of the notice issued under section 16A(1), conduct a cybersecurity risk assessment of the third‑party‑owned critical information infrastructure in the prescribed form or manner; | (c) | furnish a copy of the report of any audit mentioned in paragraph (a), and the report of any cybersecurity risk assessment mentioned in paragraph (b), to the provider, not later than 30 days after the completion of the audit or assessment (as the case may be); | (d) | carry out again any aspect of an audit mentioned in paragraph (a) as required by the provider pursuant to a direction from the Commissioner under subsection (6); | (e) | cause an audit in respect of the third‑party‑owned critical information infrastructure to be carried out by an auditor approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (7); | (f) | carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure, or cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (8); and | (g) | carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in paragraphs (a) and (b), as required by the provider pursuant to a direction from the Commissioner under subsection (9). |
(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity. |
(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
(4) The designated provider responsible for third‑party‑owned critical information infrastructure must obtain from the owner each report of an audit and each report of a cybersecurity risk assessment mentioned in subsection (1)(c). |
(5) The designated provider responsible for third‑party‑owned critical information infrastructure must, not later than 14 days after receiving from the owner a report of an audit or a cybersecurity risk assessment, furnish a copy of the report of the audit or assessment to the Commissioner. |
(6) Where it appears to the Commissioner from the report of an audit furnished under subsection (5), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to carry out that aspect of the audit again. |
(7) Where it appears to the Commissioner that —(a) | the third‑party‑owned critical information infrastructure is not in conformity with any prescribed technical or other standard relating to cybersecurity that is to be maintained in respect of the third‑party‑owned critical information infrastructure; or | (b) | any information furnished by the designated provider responsible for third‑party‑owned critical information infrastructure under section 16E is false, misleading, inaccurate or incomplete, |
the Commissioner may for the purpose of ascertaining the third‑party‑owned critical information infrastructure’s conformity with the applicable prescribed technical or other standard relating to cybersecurity, or ascertaining the accuracy or completeness of the information (as the case may be), direct the provider to require the owner of the third‑party‑owned critical information infrastructure to cause an audit in respect of the third‑party‑owned critical information infrastructure to be carried out by an auditor approved by the Commissioner. |
|
(8) Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (5), that the assessment was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to either —(a) | carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure; or | (b) | cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner. |
|
(9) Where the designated provider responsible for third‑party‑owned critical information infrastructure has notified the Commissioner under section 16E(8) of a material change made to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the provider to require the owner of the third‑party‑owned critical information infrastructure to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1)(a) or (b). |
(10) Any designated provider responsible for third‑party‑owned critical information infrastructure who —(a) | without reasonable excuse, fails to comply with subsection (4); | (b) | without reasonable excuse, fails to comply with the Commissioner’s direction under subsection (6), (7), (8)(a) or (b) or (9); or | (c) | obstructs or prevents an audit mentioned in subsection (7) or a cybersecurity risk assessment mentioned in subsection (8)(b) from being carried out, or impedes the effectiveness of such an audit or cybersecurity risk assessment carried out, |
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction. |
|
(11) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction. |
|
Duty to notify material change to legally binding commitment |
16K.—(1) If a material change is made to a legally binding commitment that was obtained by a designated provider responsible for third‑party‑owned critical information infrastructure for the purpose of meeting a requirement under section 16E(1), 16F(1), 16H(1), 16I(1) or 16J(1), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the change is made.(2) For the purposes of subsection (1), a change is a material change if the change affects the ability of the designated provider responsible for third‑party‑owned critical information infrastructure to obtain the performance, by the owner of the third‑party‑owned critical information infrastructure, of the actions committed in accordance with the legally binding commitment. |
(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both. |
|
16L.—(1) The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of different designated providers responsible for third‑party‑owned critical information infrastructure in responding to significant cybersecurity incidents.(2) A designated provider responsible for third‑party‑owned critical information infrastructure must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner. |
(3) Any person who, without reasonable excuse, fails to comply with a direction under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000.”. |
|
|
|
|