GovTech and CSA both accept SOC 2 reports as vendor assurance artefacts. If a Delve-certified vendor sits anywhere in a Singapore government supply chain, the downstream agency has no way to know the attestation is hollow. Third-party risk management under Security Assessment and Testing assumes the auditor actually tested something. That assumption just broke.
Singapore’s GRC automation market is small enough that buyers default to US-backed platforms with recognisable names. This is the predictable failure mode. IMDA and CSA should be asking whether any locally contracted SaaS vendor holds a Delve-issued SOC 2 or ISO 27001 certificate, and whether existing procurement frameworks even have the teeth to catch this kind of manufactured compliance.
GovTech and CSA both accept SOC 2 reports as vendor assurance artefacts. If a Delve-certified vendor sits anywhere in a Singapore government supply chain, the downstream agency has no way to know the attestation is hollow. Third-party risk management under Security Assessment and Testing assumes the auditor actually tested something. That assumption just broke.
Singapore’s GRC automation market is small enough that buyers default to US-backed platforms with recognisable names. This is the predictable failure mode. IMDA and CSA should be asking whether any locally contracted SaaS vendor holds a Delve-issued SOC 2 or ISO 27001 certificate, and whether existing procurement frameworks even have the teeth to catch this kind of manufactured compliance.