Committee of Inquiry report highlights cybersecurity implications for businesses

On 10 January 2019, the Committee of Inquiry (COI) released its report on the cyberattack on SingHealth last year that resulted in the theft of 1.5 million patients' personal particulars.

Key findings of the report include the following:

  • Lack of cybersecurity training among staff
  • Staff in key positions failed to take required actions
  • Vulnerabilities in network and systems not fixed
  • Skilled and well-equipped attackers
  • Breach could have been averted if vulnerabilities were fixed and staff were trained properly

Additionally, the report also detailed 16 recommendations from the COI, of which seven were priority recommendations and nine were additional recommendations.

The seven priority recommendations include the following:

  • An enhanced security structure must be adopted by public health institutions.
  • The effectiveness of network security processes must be reviewed.
  • Cybersecurity awareness among staff must be improved.
  • Enhanced security checks on critical information infrastructure systems
  • Greater monitoring and tighter controls on administrator accounts
  • Improve incident response process for cyberattacks
  • Partnership between industry and government to achieve a higher level of security

Why should businesses be concerned?
Any of the five key findings of the COI report might be an issue for companies in any industry. While auditing firms from different industries, we identified one or more of these issues, some of which need to be addressed under relevant standards or guidelines.

What actions can a business take?
The findings and recommendations in the COI report are based on common cybersecurity standards. Companies should continue to ensure that they comply with existing standards or guidelines such as ISO 27001, Outsourced Service Provider Audit Report (OSPAR), Monetary Authority of Singapore Technology Risk Management Guidelines (MAS TRM) and Singapore Standards on Assurance Engagements (SSAEs). Businesses should take the following actions to address the key findings of the COI report:

  • Ensure that staff are given proper awareness training in cybersecurity
  • Give key staff members clear and proper instructions on how to respond when an incident occurs
  • Conduct vulnerability assessments on computer systems and ensure that findings are addressed in a timely manner


Hoi Wai Khin, Director, Risk Advisory
T: +65 6594 7880
[email protected]