Opening Remarks by SMS Tan Kiat How at Launch of Expanded Cyber Essentials and Cyber...

Opening Remarks by Senior Minister of State for Digital Development and Information Tan Kiat How at the Launch Event for the Expanded Cyber Essentials and Cyber Trust Marks on 15 April 2025

Securing the Future: Adapting Cybersecurity for a Shifting Digital Era

Distinguished guests

Ladies and Gentlemen

Introduction

1. Good afternoon. I am very glad to see many of you here today, for a very important topic about securing our cyberspace, and what steps we can take together.

   The need to adapt cybersecurity for a shifting digital era

2. As we all know, digitalisation is picking up pace. Enterprises in Singapore are pushing ahead with their digital transformation - large enterprises, and many SMEs as well. We see cloud computing become mainstream with large enterprises. About one-third of Small and Medium Enterprises (SMEs) are using cloud.

3. Artificial Intelligence (AI) is an exciting area of technology, where companies are adopting AI to improve productivity, create new business models or new markets for their products. The Government is supporting enterprise AI adoption through various initiatives, including the IMDA's GenAI sandbox and the GenAI playbook for enterprises.

4. While such new technologies enable firms to be more productive, they also enlarge the cyber attack surface. We are seeing more cases of cyber breaches and loss of personal data, especially those involving SMEs in Singapore.

5. It is therefore timely for CSA to update the Cyber Essentials and Cyber Trust certification marks to include coverage of cloud security, AI security and Operational Technology, or OT.

6. Cyber Essentials is targeted towards SMEs. It is designed for smaller or less digital enterprises, proposing protection measures from common cybersecurity attacks. Cyber Trust helps larger or more digital enterprises to adopt a risk-based approach to implementing cybersecurity.

7. With the update, Cyber Essentials and Cyber Trust will provide coverage and protection for enterprises that are implementing cloud computing, AI and OT. Let me briefly outline the key updates.

8. First on cloud computing - when enterprises embrace cloud computing, the responsibility for cybersecurity is shared between the cloud service provider and the enterprise - this is referred to as the "cloud shared responsibility model".

9. On one hand, cloud service providers are key providers of digital infrastructure, and we will ensure that they have robust digital resilience. But, on the other hand, enterprises also need to do their part. It is not a case of "leaving it" to the cloud service provider; the enterprise also needs to secure their cloud usage, and they can take reference from the cloud security content in Cyber Essentials or Cyber Trust.

10. The second area, AI - as enterprises experiment with and innovate with AI, we need to protect ourselves from the risks associated with the use of AI. Examples include "shadow AI", which refers to the unsanctioned use of AI tools by employees without approval or oversight of the IT department, or accidental leakage of information, and the output of inappropriate information.

11. In a World Economic Forum (WEF) survey, 66% of organisations polled expect AI to have the most significant impact on cybersecurity. Enterprises that have AI users can now refer to the AI security content in Cyber Essentials and Cyber Trust.

12. The third area, OT - with the rise of Industry 4.0, we are seeing a convergence of the OT environment and the IT environment. This has an impact on key sectors in Singapore, such as manufacturing. While IT prioritises data management, focusing on the confidentiality, integrity and availability of information, OT prioritises real-time control and safety of physical processes and equipment in industrial settings.

13. The practices to secure an IT environment are not necessarily feasible in an OT environment, where the investment cycle is long, and legacy protocols and equipment may still be in use. OT enterprises can now refer to the OT security content in Cyber Essentials and Cyber Trust to secure their OT environment. We are not just looking at securing your IT environment and OT environment, but increasingly, at the nexus of the IT and OT boundaries, as more global systems become more IT-like, and more systems invite automation and more OT processes and protocols. I am very glad that CSA is taking these steps to update these Essential and Trust marks, to include computing, AI and OT - all very important areas for digital enterprises.

14. Let me make a few brief remarks in Mandarin.

15. 现在，请允许我用华语总结关键内容：

16. 虽然使用新兴数字技术可以提升效率，却也可扩大攻击面。我们看到了很多网安漏洞及个人数据泄露事件的发生，尤其涉及到新加坡的中小企业。

17. 新加坡网安局（CSA）此时扩展 "网络安全 基本能力 标志"（Cyber Essentials）和 "网络安全 信誉 标志"（Cyber Trust）的认证范围 非常及时，新增三大领域：

    （一）云 安全

    （二）人工智能 安全

    （三）运营技术 安全。

18. 政府还在计划全面提升国家网络安全标准，特别是针对高风险的行业机构。网安局正在评估，要求接触敏感数据的机构必须取得相关网络安全认证才可以参与政府合同竞标。具体实施方案将在筹备完成后另外公报。

    The need to simplify cybersecurity for SMEs and take a systematic approach to uplift cybersecurity of the wider cyberspace

19. We have received industry feedback that implementing cybersecurity can be challenging for SMEs. To simplify cybersecurity for SMEs, CSA taps on cybersecurity consultants that play the role of their Chief Information Security Officer [(CISO) as-a-Service]. These consultants help SMEs to implement cyber hygiene measures aligned to the Cyber Essentials mark.

20. Government funding support is available for eligible SMEs. We are heartened to see more than 500 organisations acting on the importance of cybersecurity by attaining at least Cyber Essentials certification.

21. In recent years, cyber threats have become more severe, and criminal groups are increasingly going online to look for illicit gains. We need a more systematic approach to raise baseline cybersecurity standards nationally and protect more organisations, especially those of higher risk.

22. As shared at our Ministry's Committee of Supply Debate this year, CSA is assessing if more measures are needed, particularly for vendors that may be given access to sensitive data or systems within Government.

23. Such vendors include cybersecurity penetration testing firms, and cybersecurity auditors. Possible measures include requiring these vendors and their subcontractors to obtain their Cyber Essentials and/or Cyber Trust marks before they can be licensed or bid for contracts offered by Government. CSA will be engaging the industry on the way ahead.

    Working together to uphold Singapore's standing as a trusted digital hub

24. Cyber Essentials and Cyber Trust are domestic marks, originally developed to uplift the cybersecurity posture of enterprises in Singapore.

25. We are glad that there has been interest from countries in the region. We understand that there are enterprises in Malaysia, Thailand, Philippines and the Middle East, who have been certified, with possibly another firm in Brunei going through the process.

26. Beyond raising the cybersecurity posture of our enterprises and securing our digital economy, there are market opportunities for our firms, building on the brand of trust and reliability that Singapore is known for.

27. I look forward to the collective effort of all stakeholders in this effort as we build a vibrant digital economy that provides opportunities for all enterprises and our workers.

28. Thank you.