Clause 15

The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a system of temporary cybersecurity concern for the purposes of this Act, if the Commissioner is satisfied that —

for a limited period —

there is a high risk that a cybersecurity threat or cybersecurity incident may be carried out that will jeopardise or adversely affect, without lawful authority, the cybersecurity of the computer or computer system; and

the loss or compromise of the computer or computer system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore; and

the computer or computer system is located wholly or partly in Singapore.(2) A notice issued under subsection (1) must —

identify the computer or computer system that is being designated as a system of temporary cybersecurity concern;

identify the owner of the computer or computer system so designated as a system of temporary cybersecurity concern;

inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;

specify the first and last day of the period of designation, which must not exceed one year;

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the system of temporary cybersecurity concern in relation to its cybersecurity;

inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.(3) Any designation under subsection (1) has effect until the end of the period of designation specified in the notice, unless it is withdrawn by the Commissioner before the expiry of the period.(4) The person who receives a notice under subsection (1) may request the Commissioner to proceed under subsection (5) upon showing proof that —

the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and

another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.(5) If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1), and address and send that amended notice to the person mentioned in subsection (4)(b).(6) During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a system of temporary cybersecurity concern is a reference to the person mentioned in subsection (4)(b).(7) Where —

a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and

the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,the owner of the system of temporary cybersecurity concern must notify the Commissioner of this without delay.(8) Where a system of temporary cybersecurity concern is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the system of temporary cybersecurity concern is treated as the owner of the system of temporary cybersecurity concern for the purposes of this Act.(9) A notice issued under this section need not be published in the Gazette.Power to obtain information to ascertain if criteria for system of temporary cybersecurity concern fulfilled17A.—

This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria to be designated as a system of temporary cybersecurity concern.(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be exercising control over the computer or computer system, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a system of temporary cybersecurity concern.(3) Without limiting subsection (2), for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a system of temporary cybersecurity concern, the Commissioner may in the notice require the person who appears to be exercising control over the computer or computer system to provide —

information relating to —

the function that the computer or computer system is employed to serve; and

the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;

information relating to the design of the computer or computer system; and

any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria to be designated as a system of temporary cybersecurity concern.(4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.(5) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.Withdrawal of designation of system of temporary cybersecurity concern17B. The Commissioner may, by written notice, withdraw the designation of a system of temporary cybersecurity concern at any time if the Commissioner is of the opinion that the computer or computer system no longer fulfils the criteria to be designated as a system of temporary cybersecurity concern.Extension of designation of system of temporary cybersecurity concern17C.—

At any time before the expiry of the designation of a system of temporary cybersecurity concern, the Commissioner may, by written notice, extend the designation of the system of temporary cybersecurity concern, if the Commissioner is of the opinion that the computer or computer system continues to fulfil the criteria to be designated as a system of temporary cybersecurity concern.(2) Any extension of a designation under subsection (1) has effect for the period stated in the notice in subsection (1) (which must not exceed one year for each extension), starting from the expiry of the earlier designation, unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension.Furnishing of information relating to system of temporary cybersecurity concern17D.—

The Commissioner may by notice given in the prescribed form and manner, require the owner of a system of temporary cybersecurity concern to furnish, within a reasonable period specified in the notice, the following:

information on the design, configuration and security of the system of temporary cybersecurity concern;

information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

information relating to the operation of the system of temporary cybersecurity concern, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the system of temporary cybersecurity concern.(2) Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.(3) The owner of a system of temporary cybersecurity concern to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.(4) The owner of a system of temporary cybersecurity concern is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).Power of Commissioner to issue written directions17E.—

The Commissioner may, if the Commissioner thinks —

it is necessary or expedient for ensuring the cybersecurity of a system of temporary cybersecurity concern or a class of systems of temporary cybersecurity concern; or

it is necessary or expedient for the effective administration of this Act,issue a written direction, either of a general or specific nature, to the owner of a system of temporary cybersecurity concern or a class of such owners.(2) Without limiting subsection (1), a direction under that subsection may relate to —

the action to be taken by the owner or owners in relation to a cybersecurity threat;

compliance with any prescribed technical or other standards relating to cybersecurity in respect of the system of temporary cybersecurity concern;

compliance with any code of practice or standard of performance applicable to the owner;

the appointment of an auditor approved by the Commissioner to audit the owner or owners on their compliance with this Act or any code of practice or standard of performance applicable to the owner or owners; or

any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the system of temporary cybersecurity concern.(3) A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers that it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —

stating that the Commissioner proposes to issue the direction and setting out its effect; and

specifying the time within which representations or objections to the proposed direction may be made.(5) The Commissioner must consider any representations or objections which are duly made before giving any direction.(6) Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.Duty to report cybersecurity incident in respect of system of temporary cybersecurity concern, etc.17F.—

The owner of a system of temporary cybersecurity concern must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:

a prescribed cybersecurity incident in respect of the system of temporary cybersecurity concern;

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;

a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the system of temporary cybersecurity concern.(2) The owner of a system of temporary cybersecurity concern must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the system of temporary cybersecurity concern, as set out in any applicable code of practice.(3) Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.”.