Part VI - Licensing of Cyber Security Service Providers

41. Cyber security services

For the purposes of this Act, the following are cyber security services:

penetration testing;
security operations centre;
information security risk assessment;
vulnerability assessment;
incident response;
cyber audit;
red teaming; or
any other services as may be prescribed.

42. Prohibition of providing cyber security service without licence

A person shall not provide a cyber security service without a licence issued under this Act.
A controller shall not engage a person who is not licensed under this Act.
A person who contravenes subsection (1) or (2) commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a term not exceeding five years, or to both.

43. Categories of licences

There shall be categories of licences as may be prescribed for purposes of providing cyber security services specified under section 41.

44. Application for licence

A person who intends to provide a cyber security service shall apply to the Agency for a licence in the prescribed manner and form on payment of a prescribed fee.
The Agency shall, within thirty days of receipt of an application under subsection (1), approve or reject the application.
Where the Agency fails to make a decision within the period referred to under subsection (2), the application shall be deemed to have been granted.
The Agency may request for further particulars or information in respect of an application under this section in the prescribed manner and form.

45. Grant of licence

The Agency shall, where the Agency approves an application under section 44, issue the applicant with a licence in a prescribed manner and form.
A licence issued under this section may be issued on terms and conditions that the Agency may determine.

46. Rejection of application

The Agency shall reject an application for a licence as a cyber security service provider if —
1. an applicant or an officer of an applicant is not a fit and proper person;
2. it is not in the public interest to grant the application;
3. the grant of the licence may pose a threat to national security; or
4. the applicant has not met the criteria for licensing as prescribed.
The Agency shall, where the Agency rejects an application for a licence on the grounds set out in subsection (1), inform the applicant, in writing, stating the reasons for the rejection.
For the purposes of subsection (1), an applicant or an officer of the applicant is not a fit and proper person, if that applicant or officer—
1. is legally disqualified;
2. is an undischarged bankrupt;
3. has been convicted of an offence involving fraud or dishonesty;
4. has been convicted of an offence under this Act; or
5. does not meet any other criteria that may be determined by the Agency.
In this section, unless the context otherwise requires, “officer” means a director, a partner of the applicant or any person who is responsible for conducting cyber security services.

47. Variation of licence

A holder of a licence may, at any time during the validity of the licence, apply to the Agency for a variation of the licence in a prescribed manner and form on payment of a prescribed fee.

48. Surrender of licence

The holder of a licence shall, where the holder of a licence does not intend to continue operating as a cyber security service provider to which the licence relates, surrender the licence to the Agency.

49. Transfer of licence

A licence issued under this Part shall not be transferred to a third party.

50. Renewal of licence

A cyber security service provider that intends to renew a licence shall, not less than three months before expiry of the licence, apply for renewal of the licence in the prescribed manner and form on payment of a prescribed fee.
The Agency shall renew the licence if the cyber security service provider remains in compliance with the conditions of the licence under this Act.
A licence renewed under this section shall be valid for a period that the Agency may determine.
A cyber security service provider who applies for renewal of a licence later than the period specified in subsection (1), shall pay a penalty fee for the late application as may be prescribed.

51. Cancellation or suspension of licence

The Agency shall suspend or cancel a licence if a holder of the licence —
1. obtained the licence through fraud, misrepresentation or concealment of a material fact;
2. is insolvent;
3. is legally disqualified from operating a cyber security service;
4. is convicted of an offence under this Act or any other written law and sentenced to imprisonment for a term exceeding six months without the option of a fine; or
5. contravenes any provision of this Act or terms and conditions of the licence.
The Agency shall, before suspending or cancelling the licence in accordance with subsection (1), notify the holder of the licence of the Agency’s intention to suspend or cancel the licence and shall —
1. give reasons for the intended suspension or cancellation; and
2. require the holder to show cause, within a period of not more than thirty days, why the licence should not be suspended or cancelled.
The Agency shall not suspend or cancel a licence under this section if the holder takes remedial measures to the satisfaction of the Agency within the period specified under subsection (2).
The Agency shall, in making the Agency’s final determination on the suspension or cancellation of a licence consider the submissions made by the holder of a licence under subsection (2).
The Agency may suspend or cancel a licence if the holder after being notified under subsection (2) fails to show cause or does not take any remedial measures, to the satisfaction of the Agency, within the time specified in that subsection.
The holder of a licence shall, where a licence is cancelled in accordance with subsection (5), surrender the licence to the Agency.

52. Register of cyber security service providers

The Agency shall keep and maintain a register of cyber security service providers in the prescribed manner and form.