§ 17D — Furnishing of information relating to system of temporary cybersecurity concern

17D.—(1) The Commissioner may by notice given in the prescribed form and manner, require the owner of a system of temporary cybersecurity concern to furnish, within a reasonable period specified in the notice, the following:(a)

information on the design, configuration and security of the system of temporary cybersecurity concern;

(b)

information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

(c)

information relating to the operation of the system of temporary cybersecurity concern, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

(d)

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the system of temporary cybersecurity concern.

(2) Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(3) The owner of a system of temporary cybersecurity concern to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.

(4) The owner of a system of temporary cybersecurity concern is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).[Act 19 of 2024 wef 31/10/2025]

—(1) The Commissioner may by notice given in the prescribed form and manner, require the owner of a system of temporary cybersecurity concern to furnish, within a reasonable period specified in the notice, the following:(a)

information on the design, configuration and security of the system of temporary cybersecurity concern;

(b)

information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

(c)

information relating to the operation of the system of temporary cybersecurity concern, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

(d)

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the system of temporary cybersecurity concern.

(2) Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(3) The owner of a system of temporary cybersecurity concern to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.

(4) The owner of a system of temporary cybersecurity concern is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).[Act 19 of 2024 wef 31/10/2025]