Cyber readiness · Software, IT services & MSPs
Cyber readiness for software and IT vendors.
When you sell software or IT services, a breach in your systems becomes a breach in your customers’. That is why buyers now vet your security before they sign. Here is what goes wrong, and the marks that answer it.
Why software vendors are a supply-chain target.
Software firms, IT vendors and MSPs are not just targets; they are distribution channels. A single flaw or compromised credential at the vendor cascades into every client the vendor touches, which is exactly why global attackers (and Verizon's Data Breach Investigations Report) have made third-party/supply-chain compromise one of the fastest-growing breach patterns: third-party involvement in breaches doubled from 15% to 30% of all breaches between the 2024 and 2025 DBIR editions. In Singapore this risk is not hypothetical; PDPC has already fined two local SaaS providers (Singapore Data Hub, People Central) for exactly the kind of basic security gaps (unpatched servers, weak passwords, no vulnerability testing) that let attackers walk in and exfiltrate hundreds of thousands of client records. Because an IT vendor sits inside its customers' networks, holds source code, admin credentials, and client data, and is often the update mechanism itself, enterprise and government buyers increasingly treat vendor security certification as a precondition to doing business, not a nice-to-have.
Government and GLC tenders increasingly expect or score recognised cybersecurity certification from ICT suppliers; CSA and IMDA are formalising this. For IMDA's SMEs Go Digital pre-approved vendor programme, a valid Cyber Essentials (or higher, e.g. Cyber Trust, ISO 27001) certification is required as of the Annual Review, assessed as a mandatory criterion, not just encouraged at application. CSA has also built a dedicated "Cyber Essentials for ICT Vendors" sub-scheme (Annex A-ICT) specifically for vendors supplying ICT systems, network infrastructure, cloud services and software, with controls such as version-controlled source code so a compromised release can be rolled back. Separately, MAS and CSA are examining whether Cyber Essentials/Cyber Trust should become a mandatory licensing/procurement condition for vendors touching sensitive government or financial-sector data, a direction that already shows up informally in enterprise vendor risk questionnaires post-SolarWinds/Kaseya/MOVEit.
Real cases, not scare stories.
Every case below was publicly reported by a named source, and the Singapore ones by the regulator itself. Checked July 2026.
- International 2023
MOVEit Transfer zero-day exploited by Cl0p
Cl0p ransomware/extortion group exploited a zero-day in Progress Software's MOVEit Transfer, a widely used managed file-transfer product.
Cl0p exploited an SQL-injection zero-day (CVE-2023-34362, CVSS 9.8) in MOVEit Transfer and deployed a custom web shell (LEMURLOOT) to steal data directly from customers' databases. Because MOVEit is a file-transfer product embedded in thousands of organisations' data flows, a single vendor vulnerability became a breach for every downstream customer.
What it cost. Independent trackers estimate the campaign hit roughly 2,700+ organisations and exposed the data of an estimated 90+ million individuals worldwide (figures are third-party estimates from Emsisoft and KonBriefing tracking, not a hard official count). Named victims reported in public include the BBC, British Airways and Aer Lingus (via UK payroll provider Zellis) and the US Department of Energy - all breached through a software vendor's flaw rather than their own systems.
Why it matters to you. The textbook case for why a software vendor's single vulnerability becomes every customer's breach - the exact liability a Singapore software or IT vendor inherits when it holds client data or exposes file-transfer/integration software to the internet.
Source: CISA/FBI joint advisory AA23-158A (#StopRansomware: Cl0p); Google Cloud/Mandiant threat intelligence; victim/individual totals from Emsisoft and KonBriefing tracking
- International 2021
Kaseya VSA supply-chain ransomware attack
REvil ransomware gang exploited a vulnerability in Kaseya's VSA remote-monitoring-and-management (RMM) software used by MSPs.
REvil exploited an authentication-bypass vulnerability in Kaseya VSA and pushed a malicious fake update that deployed ransomware through roughly 60 managed service providers (MSPs) straight into their downstream client businesses - turning the MSPs' own management tooling into the delivery mechanism.
What it cost. Public reporting estimates between 800 and 1,500 downstream businesses were affected across multiple countries. The most-cited victim, Swedish supermarket chain Coop, had to close roughly 800 stores for several days because its point-of-sale systems were managed via a Kaseya-using MSP. REvil publicly demanded a US$70 million ransom for a universal decryptor.
Why it matters to you. Maps directly onto the Singapore MSP model: an MSP's own remote-management tooling is a single point of failure that can cascade ransomware into every client it serves.
Source: CISA/FBI guidance for MSPs and their customers (July 2021); Kaseya public statements; Wikipedia summary of public reporting
- International 2020
SolarWinds Orion supply-chain compromise (Sunburst)
State-linked attackers, attributed by the US and UK to Russia's SVR (APT29 / 'Cozy Bear'), compromised SolarWinds' software build environment.
Attackers inserted malicious code (Sunburst) into routine, digitally signed Orion platform updates. The compromise sat undetected for roughly nine months before FireEye's discovery triggered public disclosure in December 2020. It was a compromise of the software build and update mechanism itself, not a conventional data breach.
What it cost. Fewer than 18,000 SolarWinds customers are believed to have installed the malware-laced Orion update (out of roughly 33,000 Orion users and ~300,000 SolarWinds customers overall); active follow-on exploitation was far narrower, with fewer than ~100 organisations actually targeted for espionage. Industry estimates put total insured losses at around US$90 million.
Why it matters to you. The reference case for why enterprise and government buyers now demand proof of secure software development and update-integrity (version control, signed builds, rollback) from every vendor in their supply chain - the origin of today's vendor due-diligence questionnaires.
Source: FireEye disclosure (Dec 2020); US/UK government attribution (April 2021); SolarWinds statements and TechTarget/SecurityWeek reporting on the ~18,000 figure; National Law Review / Channel Futures on the ~US$90M insured-loss estimate
- Singapore 2025 (breach occurred 2024; decision 7 April 2025)
Singapore Data Hub Pte Ltd - PDPC enforcement (SaaS data breach)
Singapore Data Hub Pte Ltd, a Singapore SaaS provider holding a high volume of personal data on behalf of its clients.
PDPC found the provider suffered unauthorised access on two separate occasions (28 April 2024 and 14 June 2024) by at least two threat actors. Its web servers were publicly accessible, ran outdated operating systems, and had not undergone reasonable vulnerability scanning, patching or periodic security reviews. PDPC found a breach of the Protection Obligation (s24(a) PDPA) for failing to provide reasonable access controls (including a strong password policy) and to conduct reasonable periodic security reviews.
What it cost. Personal data of 689,000 individuals was exfiltrated and likely posted on a hacking forum on 6 May 2024. PDPC imposed a S$17,500 financial penalty.
Why it matters to you. A Singapore SaaS/IT-vendor case exactly on point: basic-hygiene failures (patching, password policy, vulnerability scanning) that Cyber Essentials and Cyber Trust are built to close - at a scale (689,000 records) that shows how one under-secured vendor's breach impact dwarfs its own headcount.
Source: PDPC enforcement decision, Singapore Data Hub Pte Ltd, 7 April 2025 (pdpc.gov.sg); Baker McKenzie legal alert, Jan 2026
- Singapore 2026 (breach occurred 2024; decision 8 January 2026)
People Central Pte Ltd - PDPC enforcement (HR SaaS extortion breach)
People Central Pte Ltd, a Singapore HR SaaS provider.
On 29 April 2024 the provider received an extortion email from a threat actor; investigation found the attacker had deleted databases and likely exfiltrated client employee data, which subsequently appeared for sale on the dark web. PDPC found a breach of the Protection Obligation, citing a lack of two-factor authentication and insufficient security testing (no periodic security reviews, vulnerability assessments or penetration testing).
What it cost. Personal data of 95,000 employees of People Central's clients was affected, with a further 24,765 individuals (emergency contacts and children of employees) put at risk. PDPC imposed a S$17,500 financial penalty.
Why it matters to you. Shows the extortion/ransomware pattern hitting a small Singapore B2B SaaS vendor directly - and that the vendor, not just its clients, bears the PDPC penalty and reputational fallout when it is custodian of clients' employee and dependent data.
Source: PDPC enforcement decision, People Central Pte Ltd, 8 January 2026 (pdpc.gov.sg); Baker McKenzie legal alert, Jan 2026
Ransomware can encrypt your business data and demand payment for its return. Reliable, tested backups are the most effective safeguard.
Ransomware lock up all your files, then ask you pay to get them back. Pay also might not return. Got proper backup? You just restore and carry on. No drama.
What you actually need to protect.
- Source code repositories and build/CI-CD pipelines (the update mechanism attackers hijack, as in SolarWinds)
- Privileged admin credentials and remote-management tooling used to reach client environments (the exact vector in the Kaseya attack)
- Client personal data and business data held or processed on behalf of customers (the PDPC-cited failure in both Singapore Data Hub and People Central)
- API keys, cloud service credentials and secrets embedded in code or config
- Customer contact lists, contracts and support tickets that reveal which organisations rely on the vendor
- Backup and disaster-recovery systems (targeted directly in ransomware/extortion cases like People Central)
- Any file-transfer or integration software exposed to the internet (the MOVEit vector)
Where to start.
Start with Cyber Essentials (ICT Vendor sub-scheme): it is the baseline IMDA is already making mandatory for Go Digital pre-approved vendors and covers exactly the gaps PDPC penalised at Singapore Data Hub (patching, access control, vulnerability testing) and the version-control/rollback discipline that would have blunted a SolarWinds-style build compromise. Once a vendor is handling higher-risk client data, larger contracts, or government/GLC tenders, step up to Cyber Trust, which is risk-tiered for more digitalised, higher-exposure organisations. If the vendor also processes significant volumes of personal data as a SaaS/data processor (as in both PDPC cases here), pair this with Data Protection Essentials (DPE) or the fuller Data Protection Trustmark (DPTM) to directly address the Protection Obligation failures that have already produced real PDPC fines in this exact sector. ISO 27001 is the natural next step for vendors selling into regulated enterprise or cross-border customers who require an internationally recognised ISMS.
Talk it through with a consultantThe rules that apply to you
- PDPA Protection Obligation (s24): enforced by PDPC; already produced fines against SG SaaS/IT vendors in this sector (Singapore Data Hub, People Central)
- PDPA mandatory data breach notification requirement (Personal Data Protection (Notification of Data Breaches) Regulations 2021)
- Cybersecurity Act 2018 (amended 2024): extends obligations beyond Critical Information Infrastructure owners to foundational digital infrastructure service providers and entities of special cybersecurity interest
- CSA Cyber Essentials / Cyber Trust marks, including the Cyber Essentials for ICT Vendors sub-scheme (Annex A-ICT)
- IMDA SMEs Go Digital pre-approved vendor scheme: Cyber Essentials Mark assessed as mandatory at Annual Review
- IMDA/DPTM (Data Protection Trustmark) and Data Protection Essentials (DPE) administered under IMDA/PDPC
Questions from software owners
We're a small dev shop or 2-person MSP. Do these certifications even apply to us?
Yes, and increasingly that's the point: Cyber Essentials was designed as the baseline tier for exactly this size of business, and the ICT Vendor sub-scheme exists because CSA recognises that even small software/IT suppliers sit inside their clients' networks and supply chains. IMDA's Go Digital vendor scheme already treats it as a mandatory Annual Review requirement, not an enterprise-only bar.
Our clients haven't asked for a security mark yet. Why act now?
Because when they do ask, it's usually inside a tender deadline or a due-diligence questionnaire you can't turn around in time. PDPC has already fined two Singapore SaaS vendors (Singapore Data Hub, People Central) for gaps (unpatched servers, weak passwords, no vulnerability testing) that a Cyber Essentials assessment is built to catch before a regulator or a customer finds them first.
We don't hold much personal data, just source code and infrastructure access. Are we still exposed?
Source code and privileged credentials are exactly what attackers went after in SolarWinds and Kaseya; neither of those was primarily a personal-data breach, they were compromises of the update and remote-management mechanisms IT vendors use to reach client systems. Cyber Essentials/Cyber Trust cover this ground (access control, secure development, version control) separately from the PDPA data-protection marks.
What's the actual difference between Cyber Essentials, Cyber Trust, DPE and DPTM for a vendor like us?
Cyber Essentials and Cyber Trust (CSA) certify your cybersecurity hygiene and controls, tiered by risk and complexity: Essentials is the SME baseline, Trust is for larger or higher-exposure operations. DPE and DPTM (IMDA/PDPC) certify how well you handle personal data specifically under the PDPA. If you're a SaaS vendor processing client data (like the two PDPC-fined vendors above), you likely need both a cybersecurity mark and a data-protection mark: they cover different obligations.
Get audit-ready before a client asks.
A 30-minute chat, no obligation, and a straight answer on which mark your sector actually needs first.