Reports of Ransomware Incidents by Singapore-based Companies and Legislation on Ban of Ransom Payments

39 Mr Gerald Giam Yean Song asked the Minister for Digital Development and Information (a) how many ransomware incidents have been reported by Singapore-based companies in the past three years, with a breakdown by company size; (b) whether the Ministry plans to legislate a ban on ransom payments; and (c) what is the Ministry's assessment of the net benefit of such a ban, balancing reduced criminal funding against business impact.

Mrs Josephine Teo: On average, there were 141 ransomware incidents reported to Government agencies annually between 2022 to 2024. Around 60% of these incidents were reported by small and medium enterprises¹. The rest were reported by larger enterprises as well as non-profit organisations.

Singapore strongly discourages the payment of ransoms to ransomware actors. These attackers are criminals. Payment does not guarantee restoration of access to affected systems and data or prevent stolen data from being published. Organisations that have paid up may also be viewed as "soft targets" and prone to repeat attacks. Instead, we encourage everyone to adopt good cyber hygiene practices to better protect their systems and data against ransomware. We have made resources available at the Ransomware Portal to help them better protect themselves.

We are aware that some countries, such as the United Kingdom, are considering legislating a ban on ransom payments. The aim is to disincentivise ransom payments and, in so doing, cut off an important source of criminal funding for the ransomware industry. However, there are also concerns ransom payments may simply be pushed underground. We are therefore continuing engagements with our counterparts to better assess the effectiveness of legislating a ban.