§ 16I — Duty to report cybersecurity incident in respect of third‑party‑owned critical information infrastructure, etc.

16I.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third-party-owned critical information infrastructure will notify the provider of the occurrence of any of the following within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure;

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(c)

any other type of cybersecurity incident in respect of the third‑party‑owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third-party-owned critical information infrastructure.

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) The designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure;

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control or the provider’s control, that is interconnected with or that communicates with the third-party-owned critical information infrastructure;

(c)

a prescribed cybersecurity incident in respect of any other computer or computer system under the provider’s control that does not fall within paragraph (b);

(d)

any other type of cybersecurity incident in respect of the third-party-owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third-party-owned critical information infrastructure.

(5) The designated provider responsible for third-party-owned critical information infrastructure must establish such mechanisms and processes for the purposes of becoming aware of any cybersecurity threats and incidents in respect of the third-party-owned critical information infrastructure, as set out in any applicable code of practice.

(6) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]

—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third-party-owned critical information infrastructure will notify the provider of the occurrence of any of the following within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure;

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(c)

any other type of cybersecurity incident in respect of the third‑party‑owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third-party-owned critical information infrastructure.

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) The designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure;

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control or the provider’s control, that is interconnected with or that communicates with the third-party-owned critical information infrastructure;

(c)

a prescribed cybersecurity incident in respect of any other computer or computer system under the provider’s control that does not fall within paragraph (b);

(d)

any other type of cybersecurity incident in respect of the third-party-owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third-party-owned critical information infrastructure.

(5) The designated provider responsible for third-party-owned critical information infrastructure must establish such mechanisms and processes for the purposes of becoming aware of any cybersecurity threats and incidents in respect of the third-party-owned critical information infrastructure, as set out in any applicable code of practice.

(6) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]