Cases of Data Breaches in Government Agencies Involving Suppliers and Subcontractors Engaged by Third Party Vendors and Efforts to Safeguard Our Systems
Prime Minister's OfficeSpeakers
Summary
This question concerns Ms Joan Pereira’s inquiry on data breaches involving subcontractors of Government vendors and the measures taken to ensure they meet required cybersecurity safeguards. Senior Minister Teo Chee Hean replied that none of the 15 vendor-related incidents in 2019 involved subcontractors, noting that direct vendors remain fully accountable for maintaining standards. He stated that failure to uphold standards defined by the Instruction Manual results in contractual penalties, as requirements extend to any subcontractors. Following recommendations from the Public Sector Data Security Review Committee, the Government will implement more consistent standards and mandatory audits by 30 April 2020. Agencies will also explicitly define requirements in contracts to ensure both vendors and subcontractors comply with the Personal Data Protection Act.
Transcript
1 Ms Joan Pereira asked the Prime Minister whether there have been cases of data breach in Government agencies where suppliers and subcontractors engaged by third party vendors are involved and, if so, how does the Government ensure that such parties are vetted and accredited to ensure that they are qualified to provide the required services and put in place the needed cybersecurity safeguards for our systems.
Mr Teo Chee Hean (for the Prime Minister): In 2019, there were 15 data incidents that involved a lapse by the third party vendors of Government agencies. None of these incidents involved the supplier to or subcontractor of these direct vendors to Government agencies.
In managing the subcontractors of Government's third party vendors, the key principle is that the Government's direct vendor remains fully responsible for upholding the cybersecurity and data protection measures to the standards defined by the Government's Instruction Manual and other internal regulations. Failure to do so will result in penalties for contractual breaches by the direct vendor.
In other words, the rules are not circumvented just because the third party vendor has outsourced some of the work. For example, third party vendors are required to install updated anti-virus software on the endpoint devices used to process Government data. The same requirement extends to subcontractors that perform such work on their behalf.
In addition, as private sector companies, both the direct vendor and sub-contractors that handle Government data are subject to the Personal Data Protection Act and may face penalties when they breach the data protection requirements stipulated in the Act.
As follow up to the recommendations of the Public Sector Data Security Review Committee (PSDSRC), we will implement, by 30 April 2020, improved and more consistent standards of cybersecurity and data protection to govern the Government's direct vendors and their subcontractors. Government agencies will clearly specify the cybersecurity and data protection requirements in the contracts with their direct vendors. Government agencies will also conduct regular audits, and any non-compliance to these requirements by vendors or subcontractors will be flagged out and corrected.