appointed by the Commissioner, for the purpose of ascertaining the owner’s compliance with this Act or an applicable code of practice or standard of performance, or the accuracy or completeness of the information, as the case may be, and the cost of such audit must be borne by the owner.
(5) Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (2), that the assessment was not carried out satisfactorily, the Commissioner may either—
- (a) direct the owner of the critical information infrastructure to carry out further steps to evaluate the level of cybersecurity of the critical information infrastructure; or
- (b) appoint a cybersecurity service provider to conduct another cybersecurity risk assessment of the critical information infrastructure, and the cost of such assessment must be borne by the owner.
(6) Where the owner of a critical information infrastructure has notified the Commissioner under section 10(5) of a material change made to the design, configuration, security or operation of the critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the owner to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1).
(7) Any owner of a critical information infrastructure who—
- (a) fails, without reasonable excuse, to comply with subsection (1);
- (b) fails to comply with the Commissioner’s direction under subsection (3), (5)(a) or (6); or
- (c) obstructs or prevents an audit mentioned in subsection (4) or a cybersecurity risk assessment mentioned in subsection (5)(b) from being carried out,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceed
