§ 15 — Cybersecurity audits and risk assessments of provider‑owned critical information infrastructure

15.—(1) The owner of a provider-owned critical information infrastructure must —(a)

at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice issued under section 7, cause an audit of the compliance of the provider-owned critical information infrastructure with this Act, any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the provider‑owned critical information infrastructure, and the applicable codes of practice and standards of performance, to be carried out by an auditor approved or appointed by the Commissioner; and[Act 19 of 2024 wef 31/10/2025]

(b)

at least once a year, starting from the date of the notice issued under section 7, conduct a cybersecurity risk assessment of the provider-owned critical information infrastructure in the prescribed form and manner.[Act 19 of 2024 wef 31/10/2025]

(2) The owner of the provider-owned critical information infrastructure must, not later than 30 days after the completion of the audit mentioned in subsection (1)(a) or the cybersecurity risk assessment mentioned in subsection (1)(b), furnish a copy of the report of the audit or assessment to the Commissioner.[Act 19 of 2024 wef 31/10/2025]

(3) Where it appears to the Commissioner from the report of an audit furnished under subsection (2), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the owner of the provider-owned critical information infrastructure to cause the auditor to carry out that aspect of the audit again.[Act 19 of 2024 wef 31/10/2025]

(4) Where it appears to the Commissioner that —(a)

the owner of a provider‑owned critical information infrastructure has not complied with a provision of this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance; or

(b)

any information provided by the owner of a provider‑owned critical information infrastructure under section 10 is false, misleading, inaccurate or incomplete,

the Commissioner may for the purpose of ascertaining the owner’s compliance with this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance, or ascertaining the accuracy or completeness of the information (as the case may be) —

(c)

by order require an audit in respect of the provider‑owned critical information infrastructure to be carried out by an auditor appointed by the Commissioner, and the cost of such audit must be borne by the owner; or

(d)

authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to carry out an inspection of the provider‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(5) Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (2), that the assessment was not carried out satisfactorily, the Commissioner may either —(a)

direct the owner of the provider-owned critical information infrastructure to carry out further steps to evaluate the level of cybersecurity of the provider-owned critical information infrastructure; or[Act 19 of 2024 wef 31/10/2025]

(b)

appoint a cybersecurity service provider to conduct another cybersecurity risk assessment of the provider-owned critical information infrastructure, and the cost of such assessment must be borne by the owner.[Act 19 of 2024 wef 31/10/2025]

(6) Where the owner of a provider-owned critical information infrastructure has notified the Commissioner under section 10(5) of a material change made to the design, configuration, security or operation of the provider-owned critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the owner to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1).[Act 19 of 2024 wef 31/10/2025]

(7) Any owner of a provider-owned critical information infrastructure who —(a)

without reasonable excuse, fails to comply with subsection (1);

(b)

fails to comply with the Commissioner’s direction under subsection (3), (5)(a) or (6); or

(c)

obstructs or prevents an audit mentioned in subsection (4) or a cybersecurity risk assessment mentioned in subsection (5)(b) from being carried out,

shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

[Act 19 of 2024 wef 31/10/2025]

(8) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]

[Act 19 of 2024 wef 31/10/2025]

—(1) The owner of a provider-owned critical information infrastructure must —(a)

at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice issued under section 7, cause an audit of the compliance of the provider-owned critical information infrastructure with this Act, any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the provider‑owned critical information infrastructure, and the applicable codes of practice and standards of performance, to be carried out by an auditor approved or appointed by the Commissioner; and[Act 19 of 2024 wef 31/10/2025]

(b)

at least once a year, starting from the date of the notice issued under section 7, conduct a cybersecurity risk assessment of the provider-owned critical information infrastructure in the prescribed form and manner.[Act 19 of 2024 wef 31/10/2025]

(2) The owner of the provider-owned critical information infrastructure must, not later than 30 days after the completion of the audit mentioned in subsection (1)(a) or the cybersecurity risk assessment mentioned in subsection (1)(b), furnish a copy of the report of the audit or assessment to the Commissioner.[Act 19 of 2024 wef 31/10/2025]

(3) Where it appears to the Commissioner from the report of an audit furnished under subsection (2), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the owner of the provider-owned critical information infrastructure to cause the auditor to carry out that aspect of the audit again.[Act 19 of 2024 wef 31/10/2025]

(4) Where it appears to the Commissioner that —(a)

the owner of a provider‑owned critical information infrastructure has not complied with a provision of this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance; or

(b)

any information provided by the owner of a provider‑owned critical information infrastructure under section 10 is false, misleading, inaccurate or incomplete,

the Commissioner may for the purpose of ascertaining the owner’s compliance with this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance, or ascertaining the accuracy or completeness of the information (as the case may be) —

(c)

by order require an audit in respect of the provider‑owned critical information infrastructure to be carried out by an auditor appointed by the Commissioner, and the cost of such audit must be borne by the owner; or

(d)

authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to carry out an inspection of the provider‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(5) Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (2), that the assessment was not carried out satisfactorily, the Commissioner may either —(a)

direct the owner of the provider-owned critical information infrastructure to carry out further steps to evaluate the level of cybersecurity of the provider-owned critical information infrastructure; or[Act 19 of 2024 wef 31/10/2025]

(b)

appoint a cybersecurity service provider to conduct another cybersecurity risk assessment of the provider-owned critical information infrastructure, and the cost of such assessment must be borne by the owner.[Act 19 of 2024 wef 31/10/2025]

(6) Where the owner of a provider-owned critical information infrastructure has notified the Commissioner under section 10(5) of a material change made to the design, configuration, security or operation of the provider-owned critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the owner to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1).[Act 19 of 2024 wef 31/10/2025]

(7) Any owner of a provider-owned critical information infrastructure who —(a)

without reasonable excuse, fails to comply with subsection (1);

(b)

fails to comply with the Commissioner’s direction under subsection (3), (5)(a) or (6); or

(c)

obstructs or prevents an audit mentioned in subsection (4) or a cybersecurity risk assessment mentioned in subsection (5)(b) from being carried out,

shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

[Act 19 of 2024 wef 31/10/2025]

(8) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]

[Act 19 of 2024 wef 31/10/2025]