Staying Abreast of Cyber Threats (PQ Reply by Senior Minister Teo Chee Hean)

Staying abreast of cyber threats

Fourteenth Parliament of Singapore – First Session for the Sitting on 15 February 2022

Question

Mr Yip Hon Weng asked the Prime Minister in light of the data breach where vendors for Mindef and the SAF have been hit by malware (a) how do Ministries ensure vendors stay abreast with the increasingly sophisticated cyber threats; (b) how regularly are audits conducted to ensure vendors maintain best practices; and (c) where data leaks occur more than once with a particular vendor, whether there will be stronger follow-up action.

Answer

Written answer by Mr Teo Chee Hean, Senior Minister and Coordinating Minister for National Security (for the Prime Minister)

The Government requires vendors to implement cybersecurity and data protection measures that are benchmarked to industry standards, such as the US National Institute of Science and Technology’s National Checklist Program. For example, vendors are required to install updated anti-virus software on the endpoint devices used to process government data. These measures are reviewed every quarter to ensure that they remain relevant and are aligned with the latest practices. To complement these standards, we have also implemented recommendations from the Public Sector Data Security Review Committee (PSDSRC) to clearly specify cybersecurity and data security requirements in vendor contracts and to conduct regular audits for compliance.

The Government audits vendors regularly, and those that handle more sensitive and critical systems are audited more frequently. Vendors managing the most classified and sensitive data are audited annually while those handling less classified and sensitive data are audited once every two or three years. Vendors are required to submit a remediation plan within two weeks after the release of the audit report to address all audit findings.

The Government will impose penalties on the vendor if data is leaked. Repeat offences will be taken as an aggravating factor when determining the severity of penalties, and may result in harsher penalties such as seeking liquidated damages from the vendor, contract termination, or debarment from all Government contracts for a period of time. In cases of deliberate or reckless mishandling of personal data, the negligent vendor may also be found criminally liable under the Personal Data Protection Act.