Opening Remarks by SMS Tan Kiat How for SG Cyber Safe for Enterprises

Distinguished Guests

Ladies and Gentlemen

A very good afternoon!

Threat and impact of cybersecurity incidents are real

1.      Recent high-profile cyberattacks have demonstrated severe impact on major enterprises and their customers. For instance, Jaguar Land Rover encountered ransomware attacks which forced them to shut down production lines and disrupted their global supply chain, whilst Asahi Group experienced data breaches affecting customer information data and operations across their global network. In the aviation sector, a cyber-attack targeted at a technology provider caused widespread flight delays and cancellations across major European airports.

Singapore enterprises are at risk too

2.      Cybersecurity incidents have real and significant impact on businesses. Beyond direct cost implications, these incidents erode customer trust and have long-term consequences for organisations.

3.      These risks and impact are not theoretical for Singapore. Over 8 in 10 enterprises in Singapore have encountered at least one cybersecurity incident in a year and 99% of them suffered negative business impacts, such as disruption to their business, data loss and reputation damage. Infected systems in Singapore increased by 67% from 2023 to 2024 – this is significant as these systems serve as launching pads for larger scale cybersecurity attacks, enabling attackers to steal sensitive data and disrupt business operations.

4.      We have also observed that cybercriminals are increasingly targeting SMEs and Information and Communications Technology (ICT) providers. SMEs tend to be resource constrained and lack dedicated IT or cybersecurity teams, so they may not have implemented adequate cybersecurity measures and are seen as easy targets. On the other hand, ICT providers serve many customers, cyber attackers see them as “scalable” opportunities, where the impact can ripple through the entire value chain of customers rather than just affecting one company.

5.      When I launched the Digital Enterprise Blueprint last year, I spoke about the importance for cybersecurity to go hand in hand with digitalisation. Today, let me elaborate on how the Government is working with like-minded partners to improve the cybersecurity of our enterprises.

a.      First, we will make it easier for enterprises to get support to secure their digital systems and to recover if they are victims of a cyberattack.

b.      Second, we will enhance efforts to strengthen supply chain security.

Enterprises will have easier access to cybersecurity support

6.      Enterprises can refer to the updated Cyber Essentials and Cyber Trust marks, which include emerging technologies such as cloud, Operational Technology (OT) and AI security. CSA’s CISO-as-a-Service programme has also been refreshed.

7.      Enterprises that are adopting these technologies in their operations can use the updated Cyber Essentials and Cyber Trust marks to identify gaps and take proactive steps to strengthen the cybersecurity posture of their systems.

8.      For those that need help in securing their systems with these emerging technologies, the refreshed CISO as-a-Service programme will help SMEs to adopt these new technologies securely and confidently, even with limited cybersecurity resources or expertise.

9.      With the expanded certification marks and CISO as-a-Service, these programmes directly support enterprises of all sizes, ensuring that enterprises receive accessible implementation support to secure their digital technology adoption.

10. It is heartening to see enterprises proactively being certified in these new digital technology pillars, and today, we will be acknowledging some of the first to complete certification.

11. Second, a new Cyber Resilience Centre (CRC) will be launched to provide a one-stop shop for enterprises, in particular, SMEs. This Centre serves as a central node to help businesses strengthen defences before attacks occur and recover quickly when incidents happen.

12. In terms of preventive cybersecurity support, SMEs can benefit from the workshops that this Centre will organise. These workshops include cybersecurity starter workshops that equip SMEs with baseline cyber hygiene measures that are aligned to CSA’s Cyber Essentials. There will also be programmes to help businesses to enhance their cybersecurity capabilities.

13. We know that prevention is better than cure. However, in the cyber space, the next cyberattack and compromise is not a matter of if but when. Hence, the Centre will also provide post-incident support to businesses. This will take the form of cyber incident triage, advisory and referral to incident response companies that can help them to recover when they are impacted by cybersecurity incidents. This is an important step because many companies, especially SMEs, are not sure of what do when they are hit by a cyber incident. They do not know who to turn to, what recourse they have; and what resources are available to them. So, this Centre will play a very important role in terms of helping companies uplift their cybersecurity posture and get support when incidents happen.

14. The Centre is established by Singapore Business Federation (SBF) with key founding members from other Trade Associations and Chambers (TACs) such as Singapore Chinese Chamber of Commerce and Industry (SCCCI) and SGTech and supported by CSA.

15. The Centre will commence operations in 2026 and is expected to improve baseline cybersecurity hygiene among Singapore enterprises, equip them with faster and coordinated response to cyber incidents, enhance trust and business confidence in digitalisation, and strengthened public-private partnerships in cyber resilience.

Enterprises will have greater assurance with a more secure supply chain

16. Today, businesses operate through interconnected supply chains where enterprises depend on service providers, and technology partners to function effectively – making enterprises as strong as their weakest link.

17. Recent international incidents underscore this concern. In September this year, a ransomware attack on a third-party check-in system disrupted multiple European airports, causing delays, cancellations and stranded passengers. This shows how a single vendor breach can cascade across multiple clients simultaneously, highlighting the interconnected nature of modern digital supply chains.

18. These examples - from government vendor risks to private sector supply chain vulnerabilities - demonstrate the critical importance of securing all types of supply chain partners.

19. It is difficult for enterprises, even larger ones to be able to have full visibility and influence over the cybersecurity of their supply chain partners. Hence, it is important for all parties to work together to collectively raise the cybersecurity standards.

20. Among these types of supply chain partners, Cybersecurity Service Providers (CSPs) play a particularly crucial role. They provide cybersecurity services that require close collaboration with enterprises, often involving significant access to their systems and sensitive information. If compromised, they could directly affect the resilience of the organisations that they are protecting and serving.

21. CSA is also enhancing the licensing framework for CSPs, including ongoing consultation for CSPs to minimally meet Cyber Trust Mark Tier 3 requirements. This tier provides a robust cybersecurity framework that addresses critical risks while remaining proportionate to CSPs' operational scale and risk profiles. We expect our CSPs to have better cybersecurity hygiene and capabilities than other enterprises because of the important role that they play.

22. At the same time, these enhanced licensing conditions will remain practical, allowing providers greater focus on strengthening defences and delivering trusted cybersecurity services.

23. Furthermore, requiring CSPs to meet these standards will also help safeguard the systems that deliver Singapore’s essential services, including our Critical Information Infrastructures, keeping them secure and resilient.

24. Beyond CSPs, the broader group of ICT vendors represent another type of supply chain partners that need to be secured. These vendors provide essential technology services that enterprises depend on. Similarly, if compromised, they directly affect the resilience of the organisations that they serve.

25. CSA and IMDA have co-developed a new Cyber Essentials framework for ICT vendors. This framework requires ICT vendors to establish essential security measures and controls. There are also plans for pre-approved vendors under the SMEs Go Digital initiative to minimally meet Cyber Essentials mark.

26. These will ensure that enterprises can be confident their vendors have implemented fundamental cybersecurity measures and good cyber hygiene practices are in place. It is an important step in strengthening supply chain trust and mitigating common cyber risks.

27. Together, these enhanced requirements for ICT vendors and CSPs will strengthen supply chain security by raising standards across the board.

Conclusion

28. To conclude, these measures further support cyber resilience across our enterprise ecosystem, making cybersecurity support more accessible and securing our supply chains.

29. Enterprises now have practical guidance through the expanded CISO as-a-Service programme, the support of the new Cyber Resilience Centre, and greater confidence that their partners through the new Cyber Essentials will have better cybersecurity hygiene practices in place.

30. This approach recognises that cybersecurity challenges require collective solutions, when supply chains are secure and support is accessible to all enterprises.

31. I strongly encourage all enterprises to take advantage of these measures. Cybersecurity and digitalisation must go hand in hand. As we benefit from digital technologies, including emerging technology like AI, it is even more important for enterprises to invest in cybersecurity for business operations and continuity; and importantly, to secure the trust and confidence of your partners and clients. The Government is committed to work together with all enterprises on this important journey to secure our cyberspace. Together, we can build a safer, more resilient digital Singapore that benefits everyone.

32. Thank you.