What We CoverOur ApproachClient StoriesInsightsAboutSchedule a Consultation
All insights

Ransomware or data breach: the correct response steps for Singapore SMEs, and what cyber insurance changes

Ransomware or a data breach: what do you actually do in the first 24 hours? This post walks through the correct response steps for Singapore SMEs, the PDPA notification clock, and exactly what changes when you have cyber insurance versus when you do not.

Your IT manager calls you at 7am. Files on the company server are encrypted. A ransom note has appeared on every workstation. Or a member of staff tells you they received an alert from your practice management system that an unusual number of patient records were accessed overnight. Or you discover that a former employee's login credentials were used to extract a client database three weeks after they left.

In any of these scenarios, the first 24 hours determine how much damage is done, how much it costs to recover, and whether you meet your legal obligations under Singapore law. Most Singapore SME owners have no plan for this moment. This post gives you one.

It also explains, plainly, what changes about that response if you hold cyber insurance versus if you do not.

What you are dealing with: ransomware versus data breach

Before the steps, a distinction worth understanding because the response differs.

Ransomware is a type of attack where malicious software encrypts your files and systems, making them inaccessible until a ransom is paid or the encryption is reversed. The primary damage is operational: your business cannot function. Some ransomware attacks also exfiltrate data before encrypting it; others do not.

A data breach is an incident where personal data or confidential business information is accessed, taken, or disclosed without authorisation. It may or may not involve ransomware. A misconfigured cloud storage bucket, a phishing attack that compromises an email account, a former employee retaining access to systems, or a vendor's systems being breached can all result in a data breach without a single file being encrypted.

The steps below apply to both, with specific notes where the response differs.

The immediate steps: the first two hours

Step 1: Contain, do not investigate.

The instinctive response is to try to understand what happened. Resist it. The first priority is to stop the incident from spreading. Disconnect affected systems from the network. Do not switch them off, as powered-down systems may lose forensic evidence. Isolate them. If it is ransomware, disconnect from the internet and from other devices immediately. If it is a data breach through compromised credentials, revoke the relevant access immediately.

Do not attempt to pay the ransom, negotiate with the attacker, or restore from backup yet. Each of these actions, done in the wrong order, can destroy forensic evidence or make recovery harder.

Step 2: Notify the right people inside your organisation.

This means your most senior IT person or IT vendor, your legal counsel or company secretary, and your CEO or equivalent. Not the whole company. Not your clients. Not social media. The wider notification comes later, in a controlled way. In the first two hours, the circle should be small and focused.

Step 3: Lodge a police report.

For a ransomware attack, the Singapore Police Force states directly that ransomware is a cybercrime and should be reported to the Police. Timely reporting allows law enforcement to conduct effective investigations and contributes to the SPF's understanding of ransomware criminal operations in Singapore. Upon lodging a police report, the Singapore Cyber Emergency Response Team (SingCERT) under the Cyber Security Agency of Singapore (CSA) will also be notified, which is a practical benefit for organisations that need incident response guidance.

For a data breach that does not involve ransomware, there is no statutory obligation under the PDPA to make a police report. However, where criminal activity is suspected, such as hacking, unauthorised access to computer systems, or a data breach caused by a current or former employee, legal practitioners advising on Singapore data breach response recommend reporting to the police to preserve evidence for investigations. A police report in these circumstances is also relevant to your insurer, as it establishes the criminal nature of the incident from the earliest point.

The police report and the PDPC notification are separate obligations. Making one does not satisfy the other. Both should be pursued in parallel where both apply.

You can lodge a police report online at the SPF's e-Report Portal at www.police.gov.sg or call 999 for emergencies and 1800-255-0000 for non-emergency police assistance.

Step 4: Document everything from this moment forward.

Write down what you know, when you found out, and what actions have been taken. Time-stamp every entry. This log is not just good practice. It is the foundation of your PDPC notification if required, your police report if relevant, your insurance claim if you hold cyber cover, and your legal position if a dispute follows. Every phone call, every system action, every decision made in the response needs to be recorded.

The legal clock: Singapore's PDPA notification obligation

If personal data is or may have been involved in the incident, Singapore's Personal Data Protection Act 2012 (PDPA) starts a clock the moment you become aware that a breach has occurred or is likely to have occurred.

Under the mandatory breach notification provisions, you must notify the Personal Data Protection Commission (PDPC) within three calendar days of becoming aware of a notifiable data breach. A breach is notifiable if it involves personal data of 500 or more individuals, or if it is likely to result in significant harm to the individuals affected regardless of the number of people involved.

Three calendar days is not three business days. It includes weekends and public holidays. If you discover a breach on a Friday evening, your notification deadline is Monday evening.

You must also notify the affected individuals directly if the breach is likely to result in significant harm to them: financial loss, physical harm, reputational damage, or other serious consequences.

The PDPC expects you to notify based on what you know at the time of notification, not based on a complete investigation. You do not need to have all the answers before you notify. You need to notify, and then update the PDPC as your investigation progresses.

Failing to notify within three days is itself a breach of the PDPA, separate from the underlying incident, and carries its own enforcement risk.

Note that the PDPA notification to the PDPC is a separate obligation from the police report described above. The PDPA notification is directed to the PDPC and concerns your obligations as a data controller. The police report is directed to the SPF and concerns the criminal investigation of the offence. Both serve different purposes and neither substitutes for the other.

Steps 5 to 8: the first 24 to 72 hours

Step 5: Engage a forensic investigator.

You need to know what happened, when it started, what data was accessed or taken, and how the attacker got in. This requires a specialist. Your internal IT team, if you have one, may not have the tools or the objectivity to conduct this investigation. A forensic investigator preserves evidence correctly, produces a report that is defensible in a legal or regulatory context, and can identify the full scope of the incident.

Who pays for this, and who finds the right firm, is where the cyber insurance dimension becomes most practically significant.

Step 6: Assess the scope of the breach.

With the forensic investigator's initial findings, answer these questions. What systems were affected? What data was on those systems? Does that data include personal data of individuals? Whose personal data? How many individuals? What is the nature of the data: financial records, health information, identity documents? Has the data been exfiltrated, meaning taken out of your environment, or only accessed within your systems?

The answers determine whether you have a PDPC notification obligation, whether you need to notify affected individuals, and what the realistic damage to those individuals might be.

Step 7: Seek qualified legal advice on notification and response.

Once you have a preliminary scope assessment, you need qualified legal advice from a Singapore-qualified lawyer experienced in data protection matters on three things: whether and how to notify the PDPC, whether and how to notify affected individuals, and what your contractual obligations to clients and partners are under the data protection clauses of your agreements.

Many Singapore SME contracts include mutual data protection indemnities: if your breach exposes a client's customer data, your client may have a contractual claim against you. Understanding this exposure before you communicate with clients is important.

The PDPC publishes a Guide to Managing Data Breaches at pdpc.gov.sg, which sets out the notification form and process in detail and is a useful reference alongside professional legal advice.

Step 8: Restore operations from clean backups.

Only after containment and forensic preservation should you begin restoring systems. Restoring from a backup that itself contains the ransomware or the attacker's access reinstates the problem. Your forensic investigator needs to confirm that the backup is clean and that the vulnerability that allowed the attack has been identified and closed before restoration begins.

For ransomware specifically: the decision to pay or not pay a ransom carries legal, regulatory, and financial implications that require qualified legal advice before any action is taken. This is not a decision to be made without counsel, and it should not be made under time pressure without first consulting your lawyer and, where relevant, your insurer.

What changes if you have cyber insurance

If you hold cyber insurance, the response above does not change in sequence. What changes is who bears the cost, who coordinates the response, and how quickly expert help is available.

Immediate notification to your insurer. Most cyber policies require you to notify the insurer or their appointed incident response team as soon as reasonably practicable after discovery of an incident. Many insurers operate a 24-hour incident response hotline specifically for this. Do not wait until you have investigated. Notify first.

The insurer's incident response team typically includes or has access to forensic investigators, legal counsel specialising in data breach response, and PDPC notification specialists. Instead of finding and engaging these separately under crisis conditions, you call one number and the insurer's team coordinates the response.

Forensic investigation costs covered. Under most cyber policies, the cost of the forensic investigation to determine the scope and cause of the breach is a covered first-party cost. These costs vary significantly depending on the scale and complexity of the incident.

Legal advice and PDPC notification costs covered. The legal costs of advising on the notification obligation, drafting the PDPC notification, and advising on individual notification are covered first-party costs under a cyber policy.

Business interruption losses covered. If your systems are down and your business cannot operate as a result of the incident, business interruption cover under the cyber policy responds to the revenue loss during the downtime period, subject to the policy's waiting period and terms.

Third-party liability covered. If a client or affected individual brings a claim against you arising from the breach, the cyber policy's third-party liability section covers the legal costs of defending that claim and any damages awarded, up to the policy limit.

Ransom payment. Some cyber policies include coverage for ransom payments made as a last resort where no other recovery option exists. This is a specific policy extension, not a standard feature, and it requires the insurer's involvement and legal counsel's advice before any payment is made.

What happens if you do not have cyber insurance

Every cost described above comes directly out of your business.

Forensic investigation costs vary significantly depending on the scope and complexity of the incident and will need to be engaged at short notice, often at higher rates than would apply under a pre-arranged relationship.

Legal advice on PDPA notification and contractual exposure will need to be obtained independently and at your own cost.

Business interruption: every day your systems are down, your revenue loss accumulates with no mechanism to recover it.

Third-party liability: if a client brings a claim, you defend it from your own resources. Legal costs for a contested data breach claim in Singapore can be substantial, often exceeding the cost of the incident response itself.

PDPC enforcement: a fine of up to 10% of your annual Singapore turnover for a serious breach, as provided under the PDPA. The PDPC takes the timeliness and quality of your notification into account when assessing penalties. A well-managed, promptly notified breach with documented response steps receives different treatment from an unmanaged one.

The absence of cyber insurance does not change your legal obligations under the PDPA. The three-day notification clock runs regardless. The difference is that without insurance, you are managing a crisis, engaging specialist help, and facing potential regulatory and third-party liability without a financial backstop.

The one thing to do before an incident happens

Write down the answers to these five questions and keep them somewhere accessible that is not on your company server.

Who do I call first inside the company? Who is the IT contact or IT vendor? Who is my legal counsel or corporate secretary? What is my cyber insurer's incident response number, or if I do not have cyber insurance, which forensic or legal specialist would I call? Where are my backups and when were they last verified?

A business that can answer all five in the first ten minutes of an incident is in a materially better position than one that spends those ten minutes finding out who to call.

You can read more about our cyber insurance on the products page and about cyber incident costs in our post on The Cost of a Cyber Incident in Singapore. Our post on When Your Vendor is Breached covers the specific scenario where the incident originates outside your own systems.

If you would like to understand how your current cyber policy would respond to an incident like the ones described above, or whether the limits and response provisions reflect what your business would actually need, we would be glad to work through it with you.

This article provides general information only. It is not insurance or legal advice. For advice specific to your situation, please consult a Singapore-qualified lawyer experienced in data protection and cybersecurity matters. PDPA obligations cited reflect Singapore law as at July 2026. SPF guidance on police reporting cited from the Singapore Police Force website at police.gov.sg. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific insurance situation.

Wondering how this applies to your business?

Schedule a Consultationor message us on WhatsApp →
Back to all insights