Here is a number that deserves more attention than it has received.
In 2025, cyber insurance adoption among Singapore SMEs fell from 38% to 36%, according to QBE's annual SME survey. In the same period, the proportion of Singapore SMEs that reported experiencing a cyber incident in the past year rose from 25% to 27%.
Coverage going down. Risk going up. These two numbers are moving in the wrong direction simultaneously, and the reason is worth understanding carefully.
Why coverage is falling while risk is rising
The QBE survey identified the primary driver clearly. Price has become the top factor in insurance decisions for Singapore SMEs in 2025, cited by 70% of respondents. Operating costs are up: 66% of Singapore SMEs reported higher costs in 2025, compared to 50% a year earlier. In an environment where every line item is under pressure, cyber insurance can look like an optional spend, particularly if the business has not experienced an incident directly.
The logic is understandable but it contains a specific error. The decision to drop or reduce cyber insurance is typically made by comparing the premium to a notional risk. The premium is a known, immediate cost. The risk is uncertain and future. When cash flow is tight, the certain cost loses to the uncertain future cost in most short-term budget conversations.
What this calculation misses is the asymmetry involved. The premium for a basic cyber policy for a Singapore SME is a relatively modest annual cost. A single ransomware incident, a data breach requiring PDPC notification, or a business email compromise transfer can cost significantly more in a matter of days than several years of premiums. The maths only works against insurance if the probability of an incident is genuinely very low. The QBE data suggests it is not.
What 27% actually means
When 27% of Singapore SMEs report a cyber incident in the past year, that is more than one in four businesses. That figure is not dominated by large companies with complex systems and valuable data. SMEs in this survey are, by definition, smaller businesses with simpler operations.
The incidents affecting SMEs are not primarily sophisticated state-sponsored attacks. They are phishing emails that steal login credentials. Business email compromise scams that redirect payments to criminal accounts. Ransomware deployed through a compromised remote desktop connection. Malware introduced through a supplier's email attachment.
None of these require a sophisticated attacker. All of them require only one employee to take an action that, in hindsight, they would not have taken if they had recognised the threat. The threat surface for a Singapore SME with ten employees and a shared email system is not dramatically smaller than for a company with a hundred.
The cost misperception
A significant part of the decline in cyber insurance adoption is driven by cost misperception. Many SME owners assume cyber insurance is expensive because they associate it with large enterprise policies covering complex technology infrastructure.
For a small Singapore business, a basic cyber policy covering incident response costs, business interruption, PDPA notification costs, and third-party liability for data breaches can be considerably more affordable than that perception suggests. The premium scales with the size of the business, the type of data held, and the security controls in place. A professional services firm with ten employees and basic security hygiene is a meaningfully different risk from a financial institution.
Of the Singapore SMEs without cyber insurance in the QBE survey, 51% said they would consider purchasing a policy. That is a majority of the uninsured group expressing openness to cover. The gap between consideration and purchase is largely driven by the perception of cost and the absence of a clear articulation of what the cover actually does.
What the 36% who have cover understand
Cyber insurance is not primarily about paying a ransom, though that is the scenario most people associate with it. For a Singapore SME, the more relevant cover components are:
Incident response costs, which include the forensic investigation to understand what happened and how to stop it. For a small business with no IT department, this is the most immediately useful part of the cover. A specialist firm can be engaged within hours of an incident being reported, and the costs are covered from the first call.
Business interruption, which covers the revenue lost while systems are down or inaccessible. For a business that cannot process orders, send invoices, or access client files during a ransomware event, this is where the economic damage accumulates fastest.
PDPA notification costs, which become relevant whenever a breach affects personal data above notification thresholds. The cost of legal advice, drafting notifications, and managing the regulatory process is covered, which matters particularly for businesses without in-house legal counsel.
Third-party liability, which responds if a client or customer suffers harm as a result of a breach of their data held by the business.
These components address the costs of a cyber incident that occur regardless of whether a ransom is paid or whether the attacker was particularly sophisticated. They are relevant to any business that holds personal data, processes payments, or depends on its digital systems to operate — which describes most Singapore SMEs.
The right question to ask
The question is not whether cyber insurance is expensive. It is whether the cost of a cyber incident, if one occurred, would be manageable without insurance.
For a business with strong cash reserves, clean and tested backups, and the ability to absorb several weeks of reduced operations, the answer might genuinely be yes. For most Singapore SMEs operating on standard margins with standard reserves, the honest answer is no.
51% of uninsured Singapore SMEs say they would consider cyber cover. Consideration is a starting point. The actual cost of a basic policy, relative to the exposure it addresses, is usually the piece of information that moves consideration into action.
You can read more about how cyber insurance works in our post on Cyber Insurance in Singapore and about our cyber cover on the products page. If you would like to understand what a basic cyber policy would cost for your business and what it would actually cover, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.