§ 16J — Cybersecurity audits and risk assessments of third‑party‑owned critical information infrastructure

16J.—(1) A designated provider responsible for third-party-owned critical information infrastructure must obtain a legally binding commitment from the owner of the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —(a)

at least once every 2 years (or at such higher frequency as the Commissioner may require in any particular case by written notice to the provider), starting from the date of the notice issued under section 16A(1), cause an audit of the adherence of the third-party-owned critical information infrastructure to any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the third‑party‑owned critical information infrastructure, to be carried out by an auditor approved by the Commissioner;

(b)

at least once a year, starting from the date of the notice issued under section 16A(1), conduct a cybersecurity risk assessment of the third‑party‑owned critical information infrastructure in the prescribed form or manner;

(c)

furnish a copy of the report of any audit mentioned in paragraph (a), and the report of any cybersecurity risk assessment mentioned in paragraph (b), to the provider, not later than 30 days after the completion of the audit or assessment (as the case may be);

(d)

carry out again any aspect of an audit mentioned in paragraph (a) as required by the provider pursuant to a direction from the Commissioner under subsection (6);

(e)

cause an audit in respect of the third-party-owned critical information infrastructure to be carried out by an auditor approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (7);

(f)

carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure, or cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (8); and

(g)

carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in paragraphs (a) and (b), as required by the provider pursuant to a direction from the Commissioner under subsection (9).

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) The designated provider responsible for third-party-owned critical information infrastructure must obtain from the owner each report of an audit and each report of a cybersecurity risk assessment mentioned in subsection (1)(c).

(5) The designated provider responsible for third‑party‑owned critical information infrastructure must, not later than 14 days after receiving from the owner a report of an audit or a cybersecurity risk assessment, furnish a copy of the report of the audit or assessment to the Commissioner.

(6) Where it appears to the Commissioner from the report of an audit furnished under subsection (5), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to carry out that aspect of the audit again.

(7) Where it appears to the Commissioner that —(a)

the third‑party‑owned critical information infrastructure is not in conformity with any prescribed technical or other standard relating to cybersecurity that is to be maintained in respect of the third‑party‑owned critical information infrastructure; or

(b)

any information furnished by the designated provider responsible for third‑party‑owned critical information infrastructure under section 16E is false, misleading, inaccurate or incomplete,

the Commissioner may for the purpose of ascertaining the third‑party‑owned critical information infrastructure’s conformity with the applicable prescribed technical or other standard relating to cybersecurity, or ascertaining the accuracy or completeness of the information (as the case may be), direct the provider to require the owner of the third‑party‑owned critical information infrastructure to cause an audit in respect of the third‑party‑owned critical information infrastructure to be carried out by an auditor approved by the Commissioner.

(8) Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (5), that the assessment was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to either —(a)

carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure; or

(b)

cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner.

(9) Where the designated provider responsible for third‑party‑owned critical information infrastructure has notified the Commissioner under section 16E(8) of a material change made to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the provider to require the owner of the third‑party‑owned critical information infrastructure to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1)(a) or (b).

(10) Any designated provider responsible for third‑party‑owned critical information infrastructure who —(a)

without reasonable excuse, fails to comply with subsection (4);

(b)

without reasonable excuse, fails to comply with the Commissioner’s direction under subsection (6), (7), (8)(a) or (b) or (9); or

(c)

obstructs or prevents an audit mentioned in subsection (7) or a cybersecurity risk assessment mentioned in subsection (8)(b) from being carried out, or impedes the effectiveness of such an audit or cybersecurity risk assessment carried out,

shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(11) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]

—(1) A designated provider responsible for third-party-owned critical information infrastructure must obtain a legally binding commitment from the owner of the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —(a)

at least once every 2 years (or at such higher frequency as the Commissioner may require in any particular case by written notice to the provider), starting from the date of the notice issued under section 16A(1), cause an audit of the adherence of the third-party-owned critical information infrastructure to any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the third‑party‑owned critical information infrastructure, to be carried out by an auditor approved by the Commissioner;

(b)

at least once a year, starting from the date of the notice issued under section 16A(1), conduct a cybersecurity risk assessment of the third‑party‑owned critical information infrastructure in the prescribed form or manner;

(c)

furnish a copy of the report of any audit mentioned in paragraph (a), and the report of any cybersecurity risk assessment mentioned in paragraph (b), to the provider, not later than 30 days after the completion of the audit or assessment (as the case may be);

(d)

carry out again any aspect of an audit mentioned in paragraph (a) as required by the provider pursuant to a direction from the Commissioner under subsection (6);

(e)

cause an audit in respect of the third-party-owned critical information infrastructure to be carried out by an auditor approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (7);

(f)

carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure, or cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (8); and

(g)

carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in paragraphs (a) and (b), as required by the provider pursuant to a direction from the Commissioner under subsection (9).

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) The designated provider responsible for third-party-owned critical information infrastructure must obtain from the owner each report of an audit and each report of a cybersecurity risk assessment mentioned in subsection (1)(c).

(5) The designated provider responsible for third‑party‑owned critical information infrastructure must, not later than 14 days after receiving from the owner a report of an audit or a cybersecurity risk assessment, furnish a copy of the report of the audit or assessment to the Commissioner.

(6) Where it appears to the Commissioner from the report of an audit furnished under subsection (5), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to carry out that aspect of the audit again.

(7) Where it appears to the Commissioner that —(a)

the third‑party‑owned critical information infrastructure is not in conformity with any prescribed technical or other standard relating to cybersecurity that is to be maintained in respect of the third‑party‑owned critical information infrastructure; or

(b)

any information furnished by the designated provider responsible for third‑party‑owned critical information infrastructure under section 16E is false, misleading, inaccurate or incomplete,

the Commissioner may for the purpose of ascertaining the third‑party‑owned critical information infrastructure’s conformity with the applicable prescribed technical or other standard relating to cybersecurity, or ascertaining the accuracy or completeness of the information (as the case may be), direct the provider to require the owner of the third‑party‑owned critical information infrastructure to cause an audit in respect of the third‑party‑owned critical information infrastructure to be carried out by an auditor approved by the Commissioner.

(8) Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (5), that the assessment was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to either —(a)

carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure; or

(b)

cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner.

(9) Where the designated provider responsible for third‑party‑owned critical information infrastructure has notified the Commissioner under section 16E(8) of a material change made to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the provider to require the owner of the third‑party‑owned critical information infrastructure to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1)(a) or (b).

(10) Any designated provider responsible for third‑party‑owned critical information infrastructure who —(a)

without reasonable excuse, fails to comply with subsection (4);

(b)

without reasonable excuse, fails to comply with the Commissioner’s direction under subsection (6), (7), (8)(a) or (b) or (9); or

(c)

obstructs or prevents an audit mentioned in subsection (7) or a cybersecurity risk assessment mentioned in subsection (8)(b) from being carried out, or impedes the effectiveness of such an audit or cybersecurity risk assessment carried out,

shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(11) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]