Cyber insurance protects your business against the financial consequences of a cyber incident, from a data breach or ransomware attack to the disruption and response costs that follow. The exposure is no longer confined to technology companies. Any business that holds personal data, takes payments, or relies on its systems to operate carries it. We structure cyber cover around how your business actually uses and depends on its data.
What cyber insurance covers
Cyber insurance responds to the financial consequences of a cyber incident. Cover typically extends to the immediate response costs after a breach or attack, business interruption while systems are unavailable, the cost of restoring data and systems, and liability arising from personal data that has been compromised. The response costs are often the first to arise: forensic investigation to establish what happened, legal advice, the work of notifying affected parties, and managing the disruption to the business.
The data protection exposure
A cyber incident involving personal data is not only an operational problem. Under the Personal Data Protection Act, an organisation must notify the Personal Data Protection Commission of a data breach that is assessed to be notifiable, an obligation that has applied since 1 February 2021. A breach is notifiable if it is likely to result in significant harm to the affected individuals, or if it involves the personal data of 500 or more individuals, regardless of the level of harm.
Where a breach is notifiable, the organisation must notify the PDPC as soon as practicable, and no later than three calendar days after assessing that it is notifiable, and must also notify the affected individuals where significant harm is likely. The PDPC can impose a financial penalty of up to ten per cent of an organisation's annual turnover in Singapore, or one million dollars, whichever is higher. The cost of assessing and meeting these obligations, and the forensic, legal, and notification work required to do so properly, forms a meaningful part of the exposure that cyber cover is designed to respond to.
Who should consider it
Any business that holds personal data, takes payments, or depends on its systems to operate carries cyber exposure, and that now describes most companies regardless of sector or size. Smaller businesses are not exempt. The PDPC has taken enforcement action against organisations of all sizes, and a smaller company often has less capacity to absorb the cost and disruption of a serious incident.
Where the exposure sits
The common gaps are in scope rather than the existence of a policy. Cover that addresses third-party liability but not the business interruption from a system outage can leave the largest cost uninsured. A policy that excludes incidents arising from a known but unpatched vulnerability, or that sets a low sub-limit on incident response, may respond far less than expected when it is called upon. Reviewing what triggers the cover, the sub-limits for each type of loss, and the incident response support included is where the protection is decided.
How we structure it
We take time to understand the data you hold, how your business depends on its systems, and the obligations you carry under the PDPA, and we place cover with our appointed insurers around that picture. We review the cover as your operations and data footprint change, and we remain your point of contact if an incident occurs. The aim is cover that responds to the costs that actually follow an incident, in place before one happens.