§ 17F — Duty to report cybersecurity incident in respect of system of temporary cybersecurity concern, etc.

17F.—(1) The owner of a system of temporary cybersecurity concern must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the system of temporary cybersecurity concern;

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

(c)

a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the system of temporary cybersecurity concern.

(2) The owner of a system of temporary cybersecurity concern must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the system of temporary cybersecurity concern, as set out in any applicable code of practice.

(3) Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]

—(1) The owner of a system of temporary cybersecurity concern must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the system of temporary cybersecurity concern;

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

(c)

a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the system of temporary cybersecurity concern.

(2) The owner of a system of temporary cybersecurity concern must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the system of temporary cybersecurity concern, as set out in any applicable code of practice.

(3) Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]