Singapore legislation
Clause 75
Clause 75
Duty to notify occurrence of notifiable cybersecurity incident
(1)
Where a relevant person assesses, in accordance with section 74, that a cybersecurity incident is a notifiable cybersecurity incident, the relevant person must notify the Minister as soon as is practicable, but in any case no later than the expiry of the period prescribed after the day the relevant person makes that assessment.
(2)
For the purposes of subsection (1), different periods may be prescribed for different notifiable cybersecurity incidents.
(3)
The notification under subsection (1) must contain, to the best of the knowledge and belief of the relevant person at the time the relevant person notifies the Minister, all the information that is prescribed for this purpose.
(4)
The notification under subsection (1) must be made in the form and submitted in the manner required by the Minister.
(5)
A relevant person is not, by reason only of notifying the Minister under subsection (1), to be regarded as being in breach of —
any duty or obligation under any written law, rule of law or contract as to secrecy or other restriction on the disclosure of information; or
any rule of professional conduct or ethics applicable to the relevant person.
(6)
Subsection (1) applies concurrently with any obligation of the relevant person —
under this Part to notify the Minister of the occurrence of a notifiable data breach arising from or relating to a cybersecurity incident; or
under any other written law to notify any other person (including the Government or any public authority) of the occurrence of a cybersecurity incident, or to provide any information relating to a cybersecurity incident.