The Monetary Authority of Singapore does not publish a list of insurance policies that regulated financial institutions must hold. What it does publish are legally binding Notices and supervisory guidelines that define the operational, governance, and technology risk obligations every regulated financial institution in Singapore must meet.
Insurance does not appear in those Notices by name. It appears in the gap between what those Notices require and what an FI can absorb from its own balance sheet if something goes wrong.
This post explains what MAS's regulatory framework expects of financial institutions, and what insurance programme a well-governed Singapore FI typically puts in place in response.
What MAS actually requires
The regulatory framework for Singapore FIs sits across several instruments that took their current form in May 2024 when the Financial Services and Markets Act 2022 gave MAS consolidated authority to impose harmonised technology and risk management requirements across the entire regulated sector.
The Notices on Technology Risk Management, which became legally binding from 10 May 2024, require FIs to maintain high availability for critical systems, achieve a recovery time objective of no more than four hours for each critical system, notify MAS within one hour of discovering a relevant incident, and submit a root cause analysis report within 14 days. These are operational obligations with specific timelines and measurable standards.
The Notices on Cyber Hygiene, also effective from 10 May 2024, require FIs to secure administrative accounts, apply security patches in time to negate risks, establish baseline cybersecurity standards, implement network security controls, deploy anti-malware measures, and use multi-factor authentication on all administrative accounts and on any account used to access customer information.
In March 2026, MAS published a consultation paper on updated Guidelines on Operational Risk Management, which builds on existing expectations around governance, three lines of defence, risk appetite frameworks, and operational resilience across all material business activities. This updated framework incorporates elements of Basel Committee guidance and signals that MAS's expectations around operational risk governance are tightening, not static.
The proposed TRM Notice amendments published on 10 June 2026, which close for consultation on 31 July 2026, add further requirements on IT asset management, continuous system and security monitoring, immutable and offline data backup, and incident management. These are not new in concept, but they represent a strengthening of the existing framework in response to growing digitalisation and an evolving threat environment.
Across all of this, MAS expects boards to be actively involved in technology risk governance, to appoint a Chief Information Security Officer accountable for managing technology and cyber risks, and to document their risk appetite, policies, and controls comprehensively.
The gap that insurance addresses
MAS's framework defines what an FI must do to prevent incidents, detect them early, and respond effectively when they occur. It does not define what happens to the FI's financial position when, despite all of those controls, something goes wrong.
For a Singapore FI, the financial consequences of a significant technology or operational incident run simultaneously on several tracks. There is the direct cost of the incident itself: forensic investigation, system recovery, and the operational disruption while systems are restored. There is the regulatory consequence: responding to MAS's one-hour notification requirement, managing the subsequent investigation, and addressing any supervisory action. There is the liability to clients and counterparties whose transactions, data, or positions were affected. And there is the governance question: whether the board and senior management exercised adequate oversight, which can give rise to personal liability for individual directors.
Insurance does not prevent any of these. What it does is provide a defined financial resource to respond to each of them when they occur.
The insurance programme a Singapore FI typically holds
The four products most commonly held by regulated Singapore FIs, and the exposure each addresses, are as follows.
Cyber insurance is the first line of financial response to a technology or security incident. It covers the first-party costs of the incident: forensic investigation to establish what happened and how, legal advice on MAS notification obligations and the PDPA breach notification requirement, the cost of notifying affected individuals, and business interruption losses while systems are restored. It also covers third-party liability: claims from clients or counterparties whose data was exposed or whose transactions were disrupted as a result of the incident.
For a Singapore FI operating under the TRM Notices, the one-hour notification requirement to MAS and the obligation to submit a root cause analysis within 14 days mean that incident response costs begin from the moment an incident is detected. A cyber policy that includes incident response and legal advice cover ensures that these costs are managed from a defined budget, not from operating capital.
Commercial crime insurance covers the direct financial losses an FI suffers as a result of dishonest acts by its own employees or, in some policy structures, from external fraud directed at the FI. For a financial institution that moves and holds significant sums, the internal fraud scenarios of employee theft, misappropriation of client funds, and falsification of records represent a category of loss that operational controls are designed to prevent but cannot eliminate entirely. Commercial crime cover addresses the financial consequence when those controls fail.
Social engineering fraud (SEF) cover, which can sit within or alongside a commercial crime policy, addresses the specific scenario where an employee is deceived into authorising a fraudulent transaction through a manipulated instruction. For FIs that process high volumes of wire transfers and payment instructions, this is a material exposure that sits in a gap between standard commercial crime cover and cyber cover. The SPF advisory on Business Email Compromise issued in May 2026 noted at least 66 BEC cases reported since 1 January 2026 with losses of at least S$19 million, and financial institutions are among the most targeted sectors.
Directors and officers insurance covers the personal legal costs of the FI's directors and senior officers when claims are made against them in their personal capacity as decision-makers. MAS's expectation that boards maintain active oversight of technology risk, appoint a CISO, and document their risk governance creates a governance accountability that runs through to individual directors. Where a significant incident triggers a regulatory investigation or a shareholder or beneficiary claim, the question of whether the board exercised adequate oversight can give rise to personal liability for individual members. D&O cover responds to this personal exposure separately from the FI-level claim.
Professional indemnity insurance covers claims against the FI for errors, omissions, or negligent acts in the professional services it delivers. For capital markets entities, fund managers, financial advisers, and trust companies, the professional liability exposure is direct: an investment decision, a portfolio management error, or advice that does not meet the standard expected can give rise to a client claim. For payment service providers, an error in processing that causes financial loss to a merchant or consumer creates a similar professional liability. PI cover is structured to respond to these claims at the professional services level.
How the four covers work together
The four products address four different categories of exposure that can arise from the same event. A technology incident at an FI that results in a data breach, a fraudulent transaction, a delayed settlement, and a regulatory investigation creates simultaneous triggers across cyber, commercial crime or SEF, D&O, and potentially PI.
Placing these covers in isolation, without awareness of how each policy defines the insured event, responds to the loss, and interacts with the others, creates the risk of gaps or overlaps at exactly the point where multiple covers are needed simultaneously. A coordinated financial lines programme, reviewed at each renewal against the current regulatory environment, addresses this more effectively than assembling four standalone policies at different points in the year.
You can read more about our cyber insurance, commercial crime cover, SEF cover, D&O cover, and professional indemnity cover on the products page.
If you are a regulated financial institution in Singapore reviewing your current insurance programme against the direction of MAS's evolving TRM and operational risk framework, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.