On 6 January 2026, the Singapore Police Force announced that Richard Siua Cheng Foo, former Group Chief Operating Officer of SGX Mainboard-listed MDR Limited, had been convicted of criminal breach of trust and sentenced to 66 months' imprisonment. Between November 2020 and December 2021, Siua misappropriated 4,057 units of mobile devices and accessories valued at approximately S$2.5 million from two of MDR's subsidiaries. He had the authority to withdraw stock for business purposes. He used it to fund his gambling addiction.
In the same case, MDR's former Sales Director, Ng Eng Ming Peter, was convicted separately on 29 August 2025 for the same type of offence and sentenced to 23 months' imprisonment.
Two senior executives. One company. S$2.5 million in stock walked out the door over 13 months. This is not an extraordinary case in Singapore's commercial crime landscape. It is a representative one.
Commercial crime insurance exists to address losses exactly like this: money or assets taken by people inside the organisation, people who were trusted, who had legitimate access, and who used that access dishonestly. This post explains what commercial crime insurance covers, how it differs from social engineering fraud (SEF) cover and cyber insurance, and why many Singapore businesses are exposed without realising it.
What is commercial crime insurance?
Commercial crime insurance, sometimes called fidelity insurance or employee dishonesty insurance, covers financial losses your business suffers as a direct result of dishonest acts by your own employees or directors.
The emphasis is on the word dishonest. Commercial crime insurance responds to deliberate wrongdoing by someone inside the organisation: theft of money, theft of stock or assets, forgery, falsification of accounts, and fraud committed by a person who was entrusted with access to company resources.
Think about what that covers in practice:
A finance manager who has been quietly inflating invoices and siphoning the difference into a personal account for three years. A warehouse supervisor who has been diverting stock to an associate and splitting the proceeds. A director who falsifies company records to obtain loans the company would not otherwise qualify for. A procurement officer who accepts kickbacks from suppliers and approves inflated purchase orders in return.
In every case, the loss came from inside. The perpetrator was not a stranger breaking in. They were someone on the payroll, someone with an employment contract, someone the company trusted with access. And in many cases, their dishonesty went undetected for months or years before anyone noticed.
Why do internal fraud losses go undetected for so long?
The MDR case ran from November 2020 to December 2021, which is 13 months. The APB case involving finance manager Chia Teck Leng, still Singapore's most notorious commercial fraud, ran for four years before it was discovered. In 2004, he was sentenced to 42 years' imprisonment for swindling S$117 million from four foreign banks.
Internal fraud persists because the perpetrator understands the business's controls from the inside. They know which transactions attract scrutiny and which do not. They know which approval thresholds trigger a second review. They know how to frame a transaction so it looks routine. The fraud is often structured to stay just below the level that would trigger an automatic check.
For a small or medium-sized business, the internal controls that would catch this kind of fraud are often thinner. There may not be a segregation of duties between the person who approves a payment and the person who processes it. The director may trust a long-serving employee implicitly. A tight team with overlapping responsibilities creates both the opportunity and the cover.
What commercial crime insurance covers
A well-structured commercial crime policy typically covers the following.
Employee theft and dishonesty. Direct financial loss from the theft of money, securities, or other property by an employee acting alone or in collusion with others. This is the core cover: what the MDR case illustrates.
Forgery and alteration. Losses arising from forged or altered financial instruments, cheques, or documents. A common pattern is an employee who forges a director's signature on payment authorisations, or who alters a supplier's bank account details to redirect payments to their own account.
Computer fraud. Financial loss caused by the fraudulent use of the company's own computer systems by an employee. An employee who manipulates the payroll system to create phantom employees or inflate their own salary, for example.
Funds transfer fraud. Loss resulting from a fraudulent electronic transfer instruction made by an employee, or a transfer made in response to a fraudulent instruction that the employee originated.
Theft of client assets. Where the business holds money or property on behalf of clients, and an employee misappropriates those assets. Particularly relevant for professional services firms, property managers, and businesses holding client funds in trust.
Now, the three-way comparison: commercial crime vs SEF vs cyber
This is the question most business owners have after reading this far: how does this differ from social engineering fraud cover and cyber insurance? The three covers are related but address genuinely different risks. Understanding which applies to which loss is the most practical thing this post can offer.
Commercial crime insurance
Who causes the loss: An insider. Your own employee, director, or someone acting in collusion with them.
How the loss happens: Deliberate dishonest act. The person knew what they were doing was wrong and did it anyway.
Example: A finance executive transfers S$400,000 from the company account to their personal account over 18 months using falsified payment vouchers.
What triggers the claim: Evidence that a covered person committed a dishonest act that directly caused a financial loss to the insured.
Social engineering fraud (SEF) cover
Who causes the loss: An outsider deceiving an insider. The loss is caused by a third party who manipulates an employee into acting.
How the loss happens: The employee acts in good faith. They genuinely believe they are following a legitimate instruction. They are deceived, not dishonest.
Example: An accounts payable officer receives an email that appears to be from the CEO instructing an urgent transfer to a new supplier account. The email is from a criminal impersonating the CEO. The officer processes the transfer in good faith. The money is gone.
What triggers the claim: A covered person was deceived by a fraudulent communication into transferring funds or assets.
We covered SEF and Business Email Compromise in detail in Business Email Compromise in Singapore and Social Engineering Fraud in Singapore.
Cyber insurance
Who causes the loss: Typically an external attacker, though it can involve insider-enabled access.
How the loss happens: The company's computer systems, data, or network infrastructure is compromised. The loss may be financial (ransomware, funds transfer fraud via system compromise) or operational (systems down, data stolen).
Example: A criminal gains access to the company's banking portal by stealing login credentials through a phishing attack. Funds are transferred out using the company's own authenticated session. No employee was deceived into approving anything. The system itself was compromised.
What triggers the claim: Unauthorised access to or use of the company's computer systems causing a direct financial loss or incurring response costs.
We covered cyber insurance in detail in Cyber Insurance in Singapore.
Why the distinction matters at claim time
The three covers can look similar from a distance. They all involve money leaving the company in circumstances that should not have occurred. But insurers draw clear distinctions in their wordings, and the wrong policy for the actual loss type can mean a claim is declined or only partially paid.
The most common gap: a business holds a commercial crime policy but no SEF extension. An employee is deceived by a fake CEO email and transfers money. The commercial crime policy does not respond because the employee was not dishonest. The employee acted in good faith on a fraudulent instruction. Without an SEF extension, the loss has nowhere to go.
The reverse gap also exists: a business holds cyber insurance but no commercial crime cover. An employee deliberately manipulates the payroll system to inflate their own salary over two years. The cyber policy covers external attacks on computer systems. It does not cover deliberate internal misuse by an authorised user acting dishonestly. The loss falls on the company.
The practical takeaway is that for a business with meaningful financial controls and employee-facing systems, all three covers address adjacent risks and the three should be reviewed together to ensure there are no gaps between them.
What to think about before arranging commercial crime cover
Who is a covered person? Most commercial crime policies cover employees, directors, and officers. Some extend to temporary staff, contractors, and volunteers. Where a business uses contract staff or third-party administrators who handle company funds, checking whether they fall within the definition of a covered person matters.
What is the policy limit? The limit needs to reflect the realistic worst-case scenario, not the average transaction. The MDR case involved S$2.5 million in losses from one executive over 13 months. A policy limit set at S$500,000 would have left a significant shortfall.
Does the policy require discovery within the policy period? Commercial crime policies are typically discovery-based: the loss must be discovered while the policy is in force, regardless of when the fraud occurred. A fraud that ran for three years but was only discovered after a policy lapse may not be covered. Understanding how the discovery period interacts with run-off cover is important.
What internal controls does the insurer expect? Some policies include conditions around segregation of duties, authorisation limits, and reconciliation procedures. Where those controls are absent or inadequate, the insurer may raise questions about the claim. Maintaining basic financial controls is both good practice and a condition of the cover working as expected.
You can read more about our commercial crime cover on the products page. If you would like to understand how your current commercial crime, SEF, and cyber covers sit together and whether there are gaps between them, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.