BDO's SSIR CyberSecure Audit for IMDA Compliance

CONTACT US

Uplift Your Cybersecurity Posture with BDO's SSIR Cybersecure Audit for IMDA Compliance


Infocomm Media Development Authority (IMDA) mandates that all participating Singapore SMS Sender ID Registry (SSIR) licensees appoint an external auditor for an independent cybersecurity audit, in compliance with Section 31(1) of the Telecommunications Act 1999. This mandatory audit is critical in strengthening cybersecurity defence and combating SMS phishing scams.


Achieve IMDA’s Cybersecurity Compliance by 1 October 2025

With IMDA’s Cybersecurity Standards deadline approaching on 1 October 2025, SSIR licensees must take proactive steps to assess and strengthen their cybersecurity frameworks to maintain regulatory compliance. Non-compliance can lead to penalties, reputational damage, and heightened security risks.


Key Obligations of SSIR Licensees

Key obligations under the SSIR regime for participating licensees include:

  1. Compliance with IMDA’s Cybersecurity Standards: Participating licensees must achieve and comply with IMDA’s cybersecurity standards by 1 October 2025, unless another timeline is specified. 
  2. External Audits: Participating licensees must appoint a suitable external audit firm to conduct independent audits to ensure compliance with IMDA’s Cybersecurity Standards. IMDA retains the right to audit any participating licensee for compliance. 
  3. Rectification of Non-Compliance: If an audit reveals any non-compliance, participating licensees must rectify such non-compliance issues as soon as reasonably practicable.
  4. Acknowledgement and Clarification: Participating licensees must acknowledge receipt of IMDA’s directive within seven days and seek any necessary clarifications in writing. 
  5. Incident Reporting: Participating licensees must report any confirmed incidents of unauthorised access or data leakage that result in the delivery of suspected scam SMS to Singapore mobile subscribers. 
  6. Implementation of Security Measures: Participating licensees must implement various security measures, including two-factor authentication (2FA), IP whitelisting, role-based access, audit logging, encrypted channels, and secure transport using IPsec VPN or TLS. 
  7. Monitoring and Alerts: Participating licensees must monitor account activities for anomalies, such as multiple failed login attempts and surges in SMS traffic, and send notifications to affected users within 12 hours of detecting such anomalies. 
  8. Change Management: Any changes to infrastructure or service access must be authorised by the cybersecurity team or relevant personnel with sufficient authority and seniority.


Penalties for Non-Compliance

If a participating licensee is found to be non-compliant with the SSIR regime, the following actions will be taken:

  1. Rectification Requirement: The participating licensee must rectify the non-compliance as soon as reasonably practicable. IMDA may conduct or arrange for subsequent audits to ensure that all non-compliance issues have been fully rectified. 
  2. Further Audits: IMDA may conduct additional audits or checks to verify that the non-compliance issues have been addressed.  Participating licensees are required to must cooperate fully with IMDA and provide all necessary support, access, information, and assistance during these audits. 
  3. Incident Reporting: If non-compliance leads to incidents such as unauthorised access or data leakage resulting in the delivery of suspected scam SMS, the participating licensee must report the incident to IMDA within specified timelines.  This includes providing an initial incident report within two hours and a detailed written report within three days.
  4. Suspension or Termination of Services: IMDA may require the participating licensee to suspend or terminate its SMS- sending services to relevant customers within a reasonable timeframe to prevent further issues. 
  5. Compliance Monitoring: IMDA monitors the participating licensee's efforts to rectify non-compliance through regular updates and executive summaries submitted by auditors.  IMDA may request full audit reports to ensure ongoing compliance.


Cybersecurity Standards: Mandatory Controls

Be IMDA-Compliant with BDO’s SSIR CyberSecure Audit Service

BDO’s SSIR CyberSecure Audit is designed specifically for SSIR licensees, delivering independent, expert-led cybersecurity audits to ensure a seamless path to compliance. Through thorough assessments, we ensure complete adherence to IMDA’s cybersecurity guidelines and Section 31(1) of the Telecommunications Act 1999.

We don’t just identify gaps — we help rectify them. Our cybersecurity team supports rectifying  non-compliance issues, including implementing robust security measures to strengthen your cybersecurity posture.

Why Choose BDO?

  • Industry Experts in Cybersecurity Compliance: Our auditors bring deep expertise in cybersecurity and regulatory audits across the telecommunications landscape.
  • IMDA-Aligned and Future-Ready: We ensure your cybersecurity measures meet IMDA’s evolving standards. 
  • Minimise Operational Disruptions: Our structured audit approach minimises downtime and operational disruptions while delivering a thorough and efficient audit process.
  • Trusted by Industry Leaders: With a proven track record across technology, media, telecommunications, and financial sectors, BDO is the partner of choice for  leading organisations in  cybersecurity excellence.


Don't Wait—Schedule Your SSIR CyberSecure Audit Today

With the 1 October 2025 compliance deadline fast approaching, don’t leave it to chance. Secure your SSIR license with confidence and take proactive steps to strengthen your cybersecurity posture.

Contact us now to schedule your SSIR CyberSecure Audit and stay ahead of regulatory requirements!


Contact Us

Please fill your contact details. We will respond in 1-2 business days.





By submitting your details, you agree to us processing your data in accordance with our Data Protection Policy.

Your Practice Leader