Singapore cyber-related trust marks expanded to cover cloud, AI and operations tech

SINGAPORE – A trust mark of good cyber-security practices has given such a boost to technology firm Ascent Solutions that it is reapplying to keep its mark for another three years, even though it will not get a subsidy.

In all, after hiring consultants and auditors, the firm expects to pay about $10,000, similar to when it first got the Cyber Trust mark issued by the Cyber Security Agency of Singapore (CSA) in 2022.

Previously, however, almost 70 per cent of the cost was offset by government grants.

But the premium that the mark brings is worth it, said the firm’s director of professional services and data protection officer, Mr Daniel Chan.

“When we got (the Cyber Trust mark) in 2022, it really opened doors. We faced less resistance when it came to participating in tenders. We were invited to larger project tenders as well. At the same time, it gave assurances to partner companies when they made referrals,” he said.

Having the mark on its website alone, Mr Chan added, reassured prospective clients that the 50-employee firm specialising in supply chain logistics track-and-trace technology had the requisite cyber security.

On April 15, the Cyber Trust mark and Cyber Essentials certification were enhanced to cover new areas in cloud, artificial intelligence (AI), and operational technology used largely in manufacturing.

Organisations can apply to have any of the additional areas certified for an added fee, on top of a basic audit of their information technology measures and assets such as network and data inventory. First-time applicants will continue to get subsidies. The current marks will be phased out in February 2026.

The marks will help companies benchmark and show their preparedness to meet new risks, such as attacks on a company’s cloud services, unauthorised use of AI by employees at work – termed shadow AI – and vulnerabilities in old manufacturing devices or within the supply chain.

The enhancements come as more Singapore companies, including small and medium-sized enterprises (SMEs), adopt digitalisation.

Addressing 120 executives at a launch event for the expanded marks at the National Library, Senior Minister of State for Digital Development and Information Tan Kiat How said: “While such new technologies enable firms to be more productive, they also enlarge the attack surface. We see more cases of cyber breaches and loss of personal data, especially those involving SMEs in Singapore.”

He urged SMEs to leverage the Cyber Essentials certification, which offers practical measures against common cyber attacks.

Larger and digital enterprises can seek the Cyber Trust, which promotes a risk-based approach to cyber security, he added.

More than 500 businesses have at least the Cyber Essentials mark today, out of over 300,000 companies in Singapore. Over 99 per cent of these enterprises are SMEs.

Cloud computing is now mainstream among large enterprises, Mr Tan said, with over 30 per cent of SMEs also leveraging cloud solutions. While the Government will ensure cloud service providers have robust resilience, he urged businesses to take joint ownership.

“It is not a case of ‘leaving it’ to the cloud service provider. The enterprise also needs to secure their cloud usage, and they can take reference from the cloud security content in Cyber Essentials or Cyber Trust,” he said.

The marks, originally developed for organisations in Singapore, have been adopted by enterprises in Malaysia, Thailand, the Philippines and the Middle East.

A firm in Brunei is in the midst of getting certified.

The Government is sounding out businesses on the possibility of making certification mandatory for vendors with access to sensitive data or government systems, such as penetration testing firms and cyber-security auditors, as well as their subcontractors.

Mr Hoi Wai Khin, a partner at RSM Singapore, said it will be a good move. His firm, one of the vendors approved by CSA to help companies achieve the marks, plans to absorb the costs of being certified for now, given what he sees as a lack of appetite from businesses already facing rising costs.

“Unless there’s a mandatory requirement that they have to meet... if not, most SMEs would rather focus on business-generating opportunities rather than compliance,” he said.