MCI response to PQ on Measures in Place to Ensure Companies Engage Licensed and Certified Third- or Fourth-party IT vendors to Minimise Risk of Data Breaches and Leaks

2. The government has put in place trustmark certifications to help companies better identify IT vendors with strong data and cyber security practices. The Data Protection Trustmark ("DPTM"), overseen by the Infocomm Media Development Authority ("IMDA") recognises companies with sound policies and practices to protect the personal data they manage, and use it responsibly. IMDA's DPTM covers more than 66 million personal data records held by 76 companies. This includes over 16 million records held by 30 companies certified from the ICT sector. Additionally, the Cyber Security Agency will launch the SG Cyber Safe Trustmark later this year to recognise companies with sound cybersecurity practices.

3. While companies are not required to engage certified vendors, we strongly encourage it. To further aid companies, the Personal Data Protection Commission ("PDPC") has issued guidelines to help them evaluate the data protection policies and practices of potential IT vendors, enabling companies to make more informed choices.

4. To enhance the security posture of companies and IT vendors, the Government has put in place measures such as regular cybersecurity advisories via SingCERT to help businesses mitigate cybersecurity risks expeditiously.