5% of top SG firms hit directly, 100% exposed via vendor breaches: report

The dominant threat was vendor-related data leaks, which accounted for 72% of third-party incidents.

Only 5% of Singapore’s top 100 companies experienced direct cyberattacks last year—mostly malware infections—but every one of them was exposed through third- and fourth-party breaches, according to a new report by SecurityScorecard.

The dominant threat was vendor-related data leaks, which accounted for 72% of third-party incidents.

The firm analyzed the top 100 companies by market capitalization and found that all were affected by at least one third-party breach in the past year.

All also had confirmed breaches involving their fourth-party ecosystems—the vendors of their vendors. Despite these exposures, 91% of firms scored an “A” for internal cybersecurity hygiene.

Sector analysis showed that Agriculture, Energy, and Healthcare companies performed well, with 100% earning A ratings and reporting no direct breaches. However, all were still affected by third-party compromises.

The Technology sector, despite its strong ratings, recorded the highest direct breach rate at 40%, suggesting high-value targets face more persistent and advanced threats.

Internationally, Singapore outperformed its peers in internal posture, with only 4% of companies receiving a “C” grade or lower—compared to 24% in the UK, 34% in Germany, and 41% in Italy.

But its 100% third-party breach rate exceeded even Australia’s 97%, underscoring the global scale of supply chain vulnerability.

SecurityScorecard urged organizations to treat cyber risk as a strategic, board-level issue. It recommended continuous monitoring of third- and fourth-party ecosystems, strengthening of DNS and endpoint protections, improved patching cadence, and integrating cyber performance into procurement standards.