Tracking of Local Companies which Experienced Cyber Attacks over Past Two Years and Measure to Equip Companies with Capabilities to Enhance Cyber Resilience
Ministry of Home AffairsSpeakers
Summary
This question concerns Miss Cheng Li Hui’s inquiry regarding the tracking of cyberattacks on local companies, reporting mandates, and measures to enhance corporate cyber resilience. Minister Josephine Teo explained that while Critical Information Infrastructure (CII) owners are legally required to report incidents to the Cyber Security Agency of Singapore (CSA), other companies are encouraged to report to SingCERT. CSA received 1,238 incident reports from businesses in 2021 compared to 972 in 2020, and Minister Josephine Teo emphasized that CII owners must adhere to specific standards to ensure essential service delivery. For non-CII enterprises, the SG Cyber Safe Programme provides Cyber Essentials and Cyber Trust marks to help businesses demonstrate good practices and differentiate themselves to customers. Additionally, CSA offers cybersecurity toolkits for various company profiles to guide leaders and employees in implementing best practices and strengthening their overall cybersecurity posture.
Transcript
36 Miss Cheng Li Hui asked the Minister for Communications and Information (a) whether the Government tracks the number of local companies which experienced cyberattacks over the past two years; (b) whether companies which have experienced cyberattacks are required to report to the authorities; and (c) what are the current measures to equip local companies with the capabilities to enhance cyber resilience and to deal with cyberattacks.
Mrs Josephine Teo: The Cybersecurity Act requires owners of computers or computer systems designated as Critical Information Infrastructure (CII) to report cybersecurity incidents related to CII to the Cyber Security Agency of Singapore (CSA). This enables CSA to monitor and safeguard the cybersecurity of CII, which are crucial to the continuous delivery of essential services.
Beyond CII, CSA encourages all companies to report cybersecurity incidents to SingCERT at www.csa.gov.sg/singcert/reporting, even if the affected systems are not designated as CII. Doing so helps to augment CSA's awareness of the latest threats, and allows us to alert other companies to minimise the risk of them falling victim to similar cyberattacks.
In 2021, CSA received 1,238 reports of cybersecurity incidents from businesses and other organisations. In the preceding year, CSA received 972 such reports.
CII owners are required by the Cybersecurity Act to put in place measures to meet cybersecurity standards set by CSA. This helps to safeguard CII against cyberattacks and ensure their cyber resilience. For non-CII enterprises, in addition to SingCERT's advisories and alerts, CSA launched the SG Cyber Safe Programme in 2021 to encourage and help companies strengthen their cybersecurity posture. As part of this programme, CSA recently rolled out a cybersecurity certification programme for enterprises – comprising the Cyber Essentials and Cyber Trust marks – to recognise enterprises that have implemented good cybersecurity practices. They are visible indicators for companies to differentiate themselves and demonstrate that they have adopted the necessary cybersecurity measures to protect themselves and their customers. CSA has also developed cybersecurity toolkits for companies of various profiles to guide enterprise leaders and their employees on cybersecurity best practices.
CSA encourages all companies to apply for the Cyber Essentials and Cyber Trust marks and take advantage of the toolkits and resources available on CSA's SG Cyber Safe website.