Measures to Ensure Companies Engage Licensed IT vendors to Minimise Risk of Data Breaches and Leaks

53 Ms Joan Pereira asked the Minister for Communications and Information what measures are in place to ensure that companies which engage third- or fourth-party IT vendors select those that are licensed and certified by the Ministry so as to minimise the risk of data breaches and leaks.

Mrs Josephine Teo: The Personal Data Protection Act (PDPA) obliges all companies to protect the personal data they manage or process.

The Government has put in place trustmark certifications to help companies better identify IT vendors with strong data and cyber security practices. The Data Protection Trustmark (DPTM), overseen by the Infocomm Media Development Authority (IMDA), recognises companies with sound policies and practices to protect the personal data they manage and use it responsibly. IMDA’s DPTM covers more than 66 million personal data records held by 76 companies. This includes over 16 million records held by 30 companies certified from the ICT sector. Additionally, the Cyber Security Agency will launch the SG Cyber Safe Trustmark later this year to recognise companies with sound cybersecurity practices.

While companies are not required to engage certified vendors, we strongly encourage it. To further aid companies, the Personal Data Protection Commission (PDPC) has issued guidelines to help them evaluate the data protection policies and practices of potential IT vendors, enabling companies to make more informed choices.

To enhance the security posture of companies and IT vendors, the Government has put in place measures, such as regular cybersecurity advisories via SingCERT, to help businesses mitigate cybersecurity risks expeditiously.