The Cybersecurity (Amendment) Act 2024 reflects Singapore’s evolving approach to national cyber resilience, where security responsibility extends beyond internal systems to include external dependencies that support essential services.
The Act strengthens the Cybersecurity Act 2018 by expanding regulatory scope to include third-party systems, supply chain dependencies, and externally operated infrastructure that are critical to service delivery.
This shift recognises that modern cyber risks no longer originate solely within organisational boundaries, but increasingly through interconnected vendors, cloud providers, and service ecosystems.
Why Third-Party Risk Is Now a Priority
Critical services are increasingly delivered externally via cloud hosting, managed security, and software platforms. While organisations may outsource functions, the Cybersecurity (Amendment) Act 2024 makes it clear that responsibility cannot be delegated away.
Critical services are externally delivered
Many essential functions such as cloud hosting, managed security, and software platforms are now operated by third-party providers. This means service continuity and security are no longer fully controlled internally.
Risk is transferred, not removed
Outsourcing services does not eliminate cyber risk. Instead, it shifts exposure to external environments, where security maturity and governance may vary significantly across vendors.
Supply chains create indirect attack paths
Attackers increasingly target weaker vendors as entry points into stronger organisations. A compromise in one supplier can cascade across multiple downstream systems and entities.
Shared infrastructure increases systemic exposure
Cloud platforms and shared digital infrastructure mean multiple organisations often rely on the same underlying systems. A single vulnerability can therefore have a wide-reaching impact.
Accountability remains with the organisation
Regulatory expectations in Singapore make it clear that responsibility cannot be outsourced. Organisations remain accountable for ensuring third-party systems meet required security standards.
Key Changes Introduced by the Amendment
The Cybersecurity (Amendment) Act 2024 introduces significant updates that expand regulatory scope and strengthen expectations around third-party and ecosystem-wide cyber risk management.
1. Expanded regulatory scope
The Act extends oversight beyond traditional Critical Information Infrastructure (CII) to include third-party owned systems that support essential services. This ensures that outsourced or cloud-based components are still governed under national cybersecurity expectations.
2. Strengthened supply chain accountability
Organisations are now expected to maintain clear responsibility for vendor security through contractual obligations, risk assessments, and ongoing oversight. This reinforces the principle that cybersecurity responsibility cannot be delegated away, even when services are externally operated.
3. Expanded regulatory categories
The amendment introduces new regulated classes such as third-party-owned CII and foundational digital infrastructure providers, reflecting the growing role of cloud, data centre, and managed service ecosystems in national operations.
4. Enhanced incident visibility and reporting
Organisations must now report a wider range of cybersecurity incidents, including those originating from supply chain environments. This improves situational awareness and enables earlier regulatory response to systemic risks.
Challenges in Managing Third-Party Cyber Risk
Managing third-party risk is increasingly difficult as organisations rely on complex, interconnected vendor ecosystems with varying levels of security maturity and visibility.
- Limited visibility into vendor environments: Organisations often rely on vendor assurances rather than real-time visibility into security operations, creating blind spots where vulnerabilities can go undetected until an incident occurs.
- Inconsistent security maturity across suppliers: Third-party ecosystems vary widely in security maturity, creating inconsistent controls and uneven risk across the supply chain.
- Over-reliance on trust-based assurance: Many vendor relationships rely on periodic audits and trust-based models rather than continuous verification, which is no longer sufficient in dynamic threat environments.
- Complex multi-layered dependencies: Modern digital ecosystems include nested vendors and subcontractors, where a single compromise can cascade across interconnected systems and amplify systemic risk.
Strengthening Third-Party Cyber Resilience
To comply with the Cybersecurity (Amendment) Act 2024, organisations must move beyond static vendor management.
Shift from static trust to continuous assurance
Organisations must move from one-time onboarding checks to continuous monitoring of vendor security posture. Continuous assurance enables early detection and response to changes in risk, environment, or controls.
Embed cybersecurity into procurement governance
Security must be built into procurement from the start, not added later. This includes clear contractual security requirements, defined audit rights, and mandatory incident reporting obligations to ensure accountability across all vendor relationships.
Build ecosystem-wide visibility
A consolidated view of all third-party dependencies helps organisations understand cumulative exposure across their supply chain. This visibility enables better prioritisation of high-risk vendors and more informed risk management decisions.
Align third-party risk with enterprise governance
Third-party cybersecurity risk should be treated as part of enterprise risk management, not a standalone function. This ensures consistent oversight at board and executive level, aligning vendor risk with overall organisational risk appetite.
Securing What You Do Not Directly Control
The Cybersecurity (Amendment) Act 2024 reinforces a clear reality. Modern cybersecurity is no longer confined to internal systems. It now extends across vendors, platforms, and interconnected digital ecosystems that collectively deliver critical services.
In this environment, third-party risk is a core governance issue requiring continuous oversight, clear accountability, and full supply chain visibility. The challenge is turning fragmented vendor relationships into a structured security posture.
Zentara helps security and leadership teams simplify third-party complexity, from mapping exposure to strengthening governance and enabling continuous assurance for proactive ecosystem resilience.
Cybersecurity is no longer just about protecting what sits inside the perimeter. It is about confidently securing everything connected to it.
Talk to our cybersecurity experts about strengthening your third-party cyber resilience.
