Budget 2026: Singapore mandates stricter security for home routers, raises bar for critical infrastructure
The measures aim to better protect consumers from cyberthreats and raise baseline national cybersecurity standards
Add BT as a preferred source
[SINGAPORE] All residential routers sold in Singapore will need to meet higher cybersecurity standards by 2027, said Senior Minister of State for Digital Development and Information Tan Kiat How on Monday (Mar 2).
At his ministry’s Committee of Supply debate, Tan said that the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority intend to raise the minimum cybersecurity requirement for routers to the equivalent of Cyber Labelling Scheme (CLS) Level 2.
CLS ranges from Levels 1 to 4, with all home routers currently required to meet Level 1, the most basic security standard.
Under Level 2, manufacturers will need to ensure that residential routers incorporate stronger security measures for communications and sensitive data storage, as well as robust authentication mechanisms to protect users’ data and privacy.
The move will better protect consumers from cyberthreats and reduce the risk of devices being compromised by malicious cyberactors.
This comes after cyberattackers infected more than 2,700 digital devices – including routers and baby monitors – in Singapore last year.
“When such personal devices are hacked, citizens’ privacy can be compromised and their daily activities... disrupted,” Tan said.
Besides home routers, Internet Protocol cameras are another common target for cyberthreat actors. CSA will therefore consider also making it mandatory for these devices to meet CLS Level 2 requirements.
“CSA will continue to monitor and review if more digital devices should be required to meet minimum cybersecurity standards,” Tan added.
Raising cybersecurity standards
Beyond hardware, CSA is also raising standards for owners of critical information infrastructure (CII).
Tan said these organisations will be required to meet Cyber Trust Mark (CTM) requirements, with the aim of raising baseline national cybersecurity standards.
They will have until the end of 2027 to obtain CTM Level 5, the highest tier of the certification, for the non-CII systems under their control that support their business operations and services.
CII auditors, meanwhile, will be given until the end of 2026 to obtain this mark at the organisation level for systems that support their business operations and services.
A changing landscape
“These measures are a direct response to a shifting attack landscape, where critical infrastructure, not just end-user devices, is increasingly targeted,” Parvinder Walia, president for the Asia-Pacific region at European cybersecurity firm ESET, told The Business Times.
He added that tightening requirements around router security and critical infrastructure certifications addresses the risks of sophisticated actors targeting network infrastructure.
Dr Genie Sugene Gan, chairperson of the Cyber Security Chapter at SGTech, said that in a regional context, the implementation of the cybersecurity measures is “on time”.
But she noted that in a cybersecurity context, the goal of implementing measures is not just about timing.
Instead, the aim should be to move from general defence to specific, high-rigour protection against advanced persistent threats, she said, citing the recent attacks by cyber espionage group UNC3886.
Asked if the implementation of such measures will be an additional financial burden on companies, she told BT that the cost of compliance is “negligible” compared to the high cost per breach in Singapore.
“The cost of a serious breach downtime, incident response, regulatory fines and reputational damage almost always exceeds what compliance requires,” Walia said.
Organisations that have prioritised security by design will barely notice the additional financial burden required to upgrade the equipment, he added.
Both he and Dr Gan, however, agreed that companies with basic baseline security will have to pay a “catch-up” cost, as they implement the new cybersecurity measures.
“The real financial risk isn’t compliance. It’s not complying,” said Walia.
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
Copyright SPH Media. All rights reserved.
