(3) In subsection (1), the relevant person is—
- (a) in the case of a transfer of the whole of the legal ownership of the critical information infrastructure to another person—the person who was the owner of the critical information infrastructure before the change in ownership; or
- (b) in any other case, an owner of the critical information infrastructure.
Duty to report cybersecurity incident in respect of critical information infrastructure, etc.
14.—(1) The owner of a critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:
- (a) a prescribed cybersecurity incident in respect of the critical information infrastructure;
- (b) a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure;
- (c) any other type of cybersecurity incident in respect of the critical information infrastructure that the Commissioner has specified by written direction to the owner.
(2) The owner of a critical information infrastructure must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the critical information infrastructure, as set out in any applicable code of practice.
(3) Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.
