Clause 16

The Commissioner may, by written notice to an entity, designate the entity as an entity of special cybersecurity interest for the purposes of this Act, if the Commissioner is satisfied that —

the entity —

stores sensitive information in a computer or computer system (or class of computers or computer systems) under the entity’s control; or

uses a computer or computer system (or class of computers or computer systems) under the entity’s control to perform a function which, if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore; and

the entity is incorporated or established under any written law.(2) A notice issued under subsection (1) must —

identify the entity that is being designated as an entity of special cybersecurity interest;

describe the computer or computer system (or class of computers or computer systems) in relation to which the entity of special cybersecurity interest is being designated;

inform the entity of special cybersecurity interest regarding the entity’s duties and responsibilities under this Act that arise from the designation;

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the entity of special cybersecurity interest in relation to the cybersecurity of the entity’s computers or computer systems;

inform the entity of special cybersecurity interest that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

inform the entity of special cybersecurity interest that the entity may appeal to the Minister against the designation, and provide information on the applicable procedure.(3) Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.(4) A notice issued under this section need not be published in the Gazette.(5) In this section and section 18A, “sensitive information” means information the disclosure of which will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore.Power to obtain information to ascertain if criteria for entity of special cybersecurity interest fulfilled18A.—

This section applies where the Commissioner has reason to believe that an entity may fulfil the criteria to be designated as an entity of special cybersecurity interest.(2) The Commissioner may, by notice given in the prescribed form and manner, require any entity to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that entity as may be required by the Commissioner for the purpose of ascertaining whether the entity fulfils the criteria to be designated as an entity of special cybersecurity interest.(3) Without limiting subsection (2), for the purpose of ascertaining whether an entity fulfils the criteria to be designated as an entity of special cybersecurity interest, the Commissioner may in the notice require the entity to provide —

information relating to —

the extent to which the entity stores sensitive information in any computer or computer system (or class of computers or computer systems); and

the extent to which the entity uses any computer or computer system (or class of computers or computer systems) to perform a function which, if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore;

information relating to the design of any computer or computer system (or class of computers or computer systems) which the entity uses to store sensitive information or to perform a function which, if disrupted, will have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety or public order of Singapore; and

any other information that the Commissioner may require in order to ascertain whether the entity fulfils the criteria to be designated as an entity of special cybersecurity interest.(4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.(5) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.Withdrawal of designation of entity of special cybersecurity interest18B. The Commissioner may, by written notice, withdraw the designation of an entity of special cybersecurity interest at any time if the Commissioner is of the opinion that the entity no longer fulfils the criteria to be designated as an entity of special cybersecurity interest.Extension of designation of entity of special cybersecurity interest18C.—

At any time before the expiry of the designation of an entity of special cybersecurity interest, the Commissioner may, by written notice, extend the designation of the entity of special cybersecurity interest, if the Commissioner is of the opinion that the entity continues to fulfil the criteria to be designated as an entity of special cybersecurity interest.(2) Any extension of a designation under subsection (1) has effect for a period of 5 years starting from the expiry of the earlier designation, unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension.Furnishing of information relating to system of special cybersecurity interest18D.—

The Commissioner may by notice given in the prescribed form and manner, require the entity of special cybersecurity interest to furnish, within a reasonable period specified in the notice, the following:

information on the design, configuration and security of the system of special cybersecurity interest;

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the system of special cybersecurity interest.(2) Any entity of special cybersecurity interest who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.(3) The entity of special cybersecurity interest to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.(4) The entity of special cybersecurity interest is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).Power of Commissioner to issue written directions18E.—

The Commissioner may, if the Commissioner thinks —

it is necessary or expedient for ensuring the cybersecurity of a system of special cybersecurity interest; or

it is necessary or expedient for the effective administration of this Act,issue a written direction, either of a general or specific nature, to the entity of special cybersecurity interest or a class of such entities.(2) Without limiting subsection (1), a direction under that subsection may relate to —

the action to be taken by the entity or entities in relation to a cybersecurity threat;

compliance with any prescribed technical or other standards relating to cybersecurity in respect of the system of special cybersecurity interest;

compliance with any code of practice or standard of performance applicable to the entity;

the appointment of an auditor approved by the Commissioner to audit the entity or entities on their compliance with this Act or any code of practice or standard of performance applicable to the entity or entities; or

any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the system of special cybersecurity interest.(3) A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers that it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —

stating that the Commissioner proposes to issue the direction and setting out its effect; and

specifying the time within which representations or objections to the proposed direction may be made.(5) The Commissioner must consider any representations or objections which are duly made before giving any direction.(6) Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.Duty to report cybersecurity incident affecting entity of special cybersecurity interest18F.—

The entity of special cybersecurity interest must notify the Commissioner, in the prescribed form and manner, within the prescribed period after becoming aware of the occurrence of a prescribed cybersecurity incident in respect of the system of special cybersecurity interest or any other computer or computer system under the entity’s control, where the incident —

results in a breach in the availability, confidentiality or integrity of the entity’s data; or

has a significant impact on the business operations of the entity.(2) The entity of special cybersecurity interest must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the system of special cybersecurity interest, as set out in any applicable code of practice.(3) Any entity of special cybersecurity interest who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore.”.