What We CoverOur ApproachClient StoriesInsightsAboutSchedule a Consultation
All insights

When employees leave: insider threat, system access, and the insurance gap Singapore businesses need to understand

Apple's lawsuit against OpenAI, filed 10 July 2026, alleges a former employee retained access to internal systems after departure and extracted confidential documents. For Singapore technology companies and professional services firms, the case illustrates insider risk scenarios worth reviewing against your commercial crime and cyber cover.

On 10 July 2026, Apple filed a lawsuit in the US District Court for the Northern District of California against OpenAI and two former Apple employees. The complaint, reported by TechCrunch, Axios, and multiple technology publications, alleges that a former employee retained access to Apple's internal cloud storage after his employment had ended by exploiting an authentication flaw, and used that access to download confidential technical documents. The complaint further alleges that a senior executive used insider knowledge of confidential projects to solicit information from current employees during job interviews at the new employer, and that a trusted manufacturing partner was misled into demonstrating a proprietary technique without authorisation.

These are allegations in a civil complaint. The case is active litigation and no findings have been made by the court. The defendants have denied wrongdoing.

What the case illustrates, regardless of how the litigation resolves, is a pattern of insider risk that technology companies and professional services firms in Singapore should recognise: the departing employee who retains access, the senior hire who carries confidential knowledge to a competitor, and the supplier who is unwittingly drawn into a third party's IP dispute. Each of these scenarios creates a distinct liability exposure. Each is relevant to how commercial crime and cyber insurance are structured.

The departing employee who retains system access

The most operationally immediate scenario in the Apple complaint is the allegation that a former employee continued to access internal systems after his employment had ended, through an authentication flaw that was not identified and closed at the point of departure.

This scenario is not confined to technology giants. Any Singapore business that uses cloud-based systems, shared network storage, SaaS platforms, or remote access tools faces the same structural risk: an employee who leaves the company may retain access credentials, active sessions, or exploitable permissions if the offboarding process does not systematically revoke them.

The risk is compounded by the reality of how modern IT environments are built. A Singapore SME may use ten or more cloud-based tools: accounting software, CRM, project management, file storage, email, communications platforms, and HR systems. Each has its own access controls. Revoking access at one platform does not automatically revoke it at another. A former employee whose primary email account is closed may still have active sessions in tools that authenticated through that email, particularly where single sign-on was not consistently implemented.

For insurance purposes, this scenario sits at the boundary between commercial crime and cyber cover, and understanding which policy responds matters.

Commercial crime insurance covers direct financial loss arising from dishonest acts by employees or, in some policy structures, former employees. Where a departing employee uses retained access to take confidential files, client lists, pricing data, or trade secrets, the question of whether the loss falls under commercial crime depends on how the policy defines the insured event and whether the act was committed during or after the period of employment. Some commercial crime policies extend to acts committed by former employees within a defined period after departure. Others do not. The wording matters, and it is worth confirming before a departure rather than after.

Cyber insurance covers the costs of responding to unauthorised access to the company's systems, regardless of whether the access was by an external attacker or a former employee. Where a departing employee accesses systems post-departure and extracts data that includes personal data of clients or employees, the company faces a potential notification obligation under Singapore's Personal Data Protection Act 2012 (PDPA). Under the mandatory breach notification provisions of the PDPA, a notifiable data breach must be reported to the Personal Data Protection Commission (PDPC) within three calendar days of the organisation becoming aware that a breach has occurred or is likely to have occurred. The fact that the access was by a former employee rather than an external hacker does not affect the notification obligation. Cyber insurance covers the forensic investigation, legal advice on the notification obligation, and the regulatory response costs that follow.

The offboarding process as a risk control

The insurance conversation is not a substitute for the operational one. Commercial crime and cyber policies both consider the controls in place when assessing a claim. An employer that had no documented offboarding checklist, no systematic process for revoking access across all platforms at departure, and no record of what access the departing employee held is in a weaker position when a claim is made than one that can demonstrate a structured and documented process.

For Singapore technology companies and professional services firms, the minimum offboarding controls worth documenting are straightforward. A list of all systems and platforms to which the departing employee had access, confirmed with IT and each relevant department head. A checklist of access revocation steps, completed and signed off before or on the last day of employment. Confirmation that company devices have been returned and remotely wiped. And for senior employees with access to confidential client data, trade secrets, or proprietary systems, an exit interview that documents what data the employee held, what they have returned, and what they have confirmed they will not retain.

None of this prevents a determined actor from retaining access through an undisclosed flaw. But it does establish the company's reasonable security arrangements, which is a relevant consideration both for the insurer handling a claim and for the PDPC assessing a breach notification.

The senior hire who carries confidential knowledge

The second scenario in the Apple complaint involves a senior executive who is alleged to have used detailed knowledge of a former employer's confidential projects to solicit further information from that employer's current staff during the hiring process at a new company.

For any Singapore professional services firm, technology company, or business that hires senior talent from competitors, this scenario raises a different question: what is your liability if a senior hire brings confidential information from their former employer into your organisation, and that information is subsequently used in your business?

In Singapore, the common law duty of confidentiality survives the end of employment. An employee who takes confidential information belonging to a former employer and uses it for the benefit of a new employer creates a potential claim against both the individual and, depending on the circumstances, the new employer. The new employer who is found to have received or used confidential information in the knowledge that it was improperly obtained faces liability for inducing breach of confidence.

For Singapore businesses hiring from competitors, the practical risk management step is to conduct structured onboarding for senior hires that documents what confidential information the new employee has been instructed not to bring or use, and to maintain records of that instruction. This does not eliminate the risk, but it establishes that the company took reasonable steps to ensure it was not receiving improperly obtained information.

Professional indemnity insurance covers claims arising from the professional acts of the firm and its employees. Where a senior hire's prior knowledge creates a claim directed at the new employer, the PI policy is the cover most likely to respond to the legal costs and any damages. Confirming that the PI policy extends to claims of this nature, and that the limit is adequate for a dispute involving trade secret misappropriation, is worth reviewing at the next renewal.

You can read more about our commercial crime cover, cyber insurance, and professional indemnity cover on the products page. Our post on The Cost of a Cyber Incident in Singapore covers the financial dimension of a data breach in more detail.

If you are a technology company or professional services firm and would like to understand how your current commercial crime and cyber policies respond to the departing employee scenario, or whether your PI cover addresses the senior hire risk, we would be glad to work through it with you.

This article provides general information only. It is not insurance or legal advice. The Apple v OpenAI litigation referenced in this post involves active court proceedings in the United States. The facts described reflect allegations made in the publicly filed complaint and reported by named publications. No findings of liability have been made and the defendants have denied wrongdoing. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.

Wondering how this applies to your business?

Schedule a Consultationor message us on WhatsApp →
Back to all insights