Efforts to Ensure Mindef and SAF's Vendors Maintain Best Practices and Stay abreast of Cyber Threats in Light of Data Breach Incidences
Prime Minister's OfficeSpeakers
Summary
This question concerns Mr Yip Hon Weng’s inquiry regarding how the Government ensures MINDEF and SAF vendors maintain cybersecurity standards and the consequences for repeated data breaches. Senior Minister Teo Chee Hean replied that vendors must implement industry-benchmarked measures reviewed quarterly and comply with regular audits conducted every one to three years depending on data sensitivity. Vendors are required to submit remediation plans within two weeks of any audit findings, while penalties for leaks include liquidated damages, contract termination, or debarment. Senior Minister Teo Chee Hean noted that repeat offences attract harsher penalties and that negligent vendors may face criminal liability under the Personal Data Protection Act for reckless data mishandling. These requirements, which include recommendations from the Public Sector Data Security Review Committee, ensure that vendors stay abreast of sophisticated cyber threats and maintain best practices.
Transcript
3 Mr Yip Hon Weng asked the Prime Minister in light of the data breach where vendors for MINDEF and SAF have been hit by malware (a) how do Ministries ensure vendors stay abreast with the increasingly sophisticated cyber threats; (b) how regularly are audits conducted to ensure vendors maintain best practices; and (c) where data leaks occur more than once with a particular vendor, whether there will be stronger follow-up action.
Mr Teo Chee Hean (for the Prime Minister): The Government requires vendors to implement cybersecurity and data protection measures that are benchmarked to industry standards, such as the US National Institute of Science and Technology’s National Checklist Program. For example, vendors are required to install updated anti-virus software on the endpoint devices used to process Government data. These measures are reviewed every quarter to ensure that they remain relevant and are aligned with the latest practices. To complement these standards, we have also implemented recommendations from the Public Sector Data Security Review Committee (PSDSRC) to clearly specify cybersecurity and data security requirements in vendor contracts and to conduct regular audits for compliance.
The Government audits vendors regularly and those that handle more sensitive and critical systems are audited more frequently. Vendors managing the most classified and sensitive data are audited annually while those handling less classified and sensitive data are audited once every two or three years. Vendors are required to submit a remediation plan within two weeks after the release of the audit report to address all audit findings.
The Government will impose penalties on the vendor if data is leaked. Repeat offences will be taken as an aggravating factor when determining the severity of penalties and may result in harsher penalties, such as seeking liquidated damages from the vendor, contract termination or debarment from all Government contracts for a period of time. In cases of deliberate or reckless mishandling of personal data, the negligent vendor may also be found criminally liable under the Personal Data Protection Act.