Cyber Insurance Singapore: The Complete SME Guide

A single data breach costs Singapore businesses an average of S$3.8 million according to IBM's 2025 Cost of a Data Breach Report. For SMEs, even a fraction of that cost can be fatal — 60% of small businesses that suffer a major cyber attack close within six months.

TL;DR: Singapore SMEs face growing cyber threats — ransomware, phishing, and PDPA breaches. Cyber insurance costs S$1,500-S$8,000/year for S$500K-S$2M coverage. It covers breach response costs, legal fees, business interruption, ransom payments, and PDPA regulatory defence. Top providers include Chubb, AIG, Zurich, and MSIG. Every SME handling personal data should have a policy.

Cyber insurance is no longer a luxury for large enterprises. This guide explains what Singapore SMEs need to know about cyber insurance in 2026 — what it covers, how much it costs, and how to choose the right policy.

Why Singapore SMEs Need Cyber Insurance

The Threat Landscape

Singapore is one of the most targeted countries in Asia-Pacific for cyber attacks. Key statistics for 2025-2026:

• Ransomware attacks on SMEs increased 67% year-over-year (CSA Singapore Cyber Landscape report)
• Average ransom demand: S$150,000-S$500,000 for SMEs (up from S$80,000 in 2023)
• Phishing remains the #1 attack vector: 78% of Singapore breaches start with a phishing email
• Business email compromise (BEC): Average loss of S$45,000 per incident for SMEs
• Mean time to detect a breach: 197 days — many SMEs do not know they have been breached

The PDPA Factor

The Personal Data Protection Act (PDPA) imposes significant financial consequences for data breaches:

• Financial penalties: Up to S$1 million per breach, or 10% of annual turnover for organisations with revenue exceeding S$10 million
• Mandatory breach notification: Organisations must notify PDPC and affected individuals within 3 days of assessing the breach to be notifiable
• Legal costs: PDPC investigations, legal representation, and remediation typically cost S$50,000-S$200,000 even before any fine is imposed
• Class action risk: While still developing in Singapore, group claims for data breaches are increasing

Without cyber insurance, these costs come directly from your operating capital.

Real-World Examples

Case 1 — Singapore logistics SME (2025): Ransomware encrypted all servers. No backups. Paid S$180,000 ransom plus S$120,000 for incident response and system restoration. Business interrupted for 3 weeks. Total cost: S$400,000+.

Case 2 — Retail e-commerce (2025): Employee fell for phishing email. 50,000 customer records exposed. PDPC investigation costs: S$80,000. Fine: S$120,000. Customer notification and credit monitoring: S$60,000. Reputational damage: immeasurable. Total direct cost: S$260,000.

Case 3 — Professional services firm (2024): Business email compromise. Finance team tricked into transferring S$230,000 to fraudulent account. Funds unrecoverable. No cyber insurance. Loss absorbed entirely by the firm.

What Cyber Insurance Covers

A standard cyber insurance policy for Singapore SMEs typically includes these coverage areas:

First-Party Coverage (Your Direct Losses)

Incident response costs

• Forensic investigation to determine breach scope
• IT consulting to contain and remediate the breach
• Notification costs (letters, emails, call centre) to affected individuals
• Credit monitoring services for affected customers
• Public relations and crisis management
• Typical coverage: S$100,000-S$500,000

Business interruption

• Lost income during system downtime caused by a cyber incident
• Extra expenses to maintain operations (temporary systems, manual processes)
• Waiting period: typically 8-12 hours before coverage activates
• Coverage period: typically 60-180 days
• Typical coverage: S$200,000-S$1,000,000

Data restoration

• Cost of restoring, recreating, or recollecting data lost or corrupted in an attack
• Includes hiring specialists to recover data from backups
• Typical coverage: S$50,000-S$200,000

Cyber extortion / Ransomware

• Ransom payments (in jurisdictions where legal) and negotiation costs
• Forensic costs related to the extortion event
• Coverage for extortion threats including DDoS threats
• Typical coverage: S$100,000-S$500,000
• Note: Most insurers require approval before paying any ransom

Third-Party Coverage (Claims Against You)

Privacy liability

• Defence costs and damages from lawsuits alleging failure to protect personal data
• Covers claims from customers, employees, and business partners
• Typical coverage: S$500,000-S$2,000,000

Regulatory defence and fines

• Legal costs for defending PDPC investigations and enforcement actions
• Coverage for PDPA fines (where insurable by law)
• Extends to other regulatory bodies (MAS, IMDA) where applicable
• Typical coverage: S$250,000-S$1,000,000

Media liability

• Defamation, copyright infringement, or privacy violations through digital media
• Covers website content, social media, and email communications
• Typical coverage: S$100,000-S$500,000

Network security liability

• Claims from third parties whose systems were compromised via your network
• Covers transmission of malware to clients, partners, or vendors
• Critical for IT service providers, MSPs, and software companies

How Much Does Cyber Insurance Cost?

Premiums depend on several factors. Here is what Singapore SMEs can expect:

Pricing by Business Size

Micro-business (1-10 employees, <S$1M revenue):

• Coverage: S$250K-S$500K
• Annual premium: S$800-S$2,000
• Example: Small consulting firm, retail shop with e-commerce

Small business (10-50 employees, S$1M-S$10M revenue):

• Coverage: S$500K-S$2M
• Annual premium: S$2,000-S$5,000
• Example: Professional services firm, mid-size retailer, logistics company

Medium business (50-200 employees, S$10M-S$50M revenue):

• Coverage: S$2M-S$5M
• Annual premium: S$5,000-S$15,000
• Example: Manufacturing, healthcare provider, financial services

Factors That Affect Your Premium

Increases premium:

• Handling large volumes of personal data (10,000+ records)
• Operating in high-risk industries (healthcare, financial services, e-commerce)
• Previous cyber incidents or claims
• Weak security posture (no MFA, no endpoint protection, no backups)
• Processing payment card data

Decreases premium:

• Strong cybersecurity measures (MFA, endpoint detection, regular patching)
• Employee security awareness training programme
• Regular penetration testing and vulnerability assessments
• SOC 2 or ISO 27001 certification
• Incident response plan documented and tested
• Dedicated IT security personnel or managed security provider

Top Cyber Insurance Providers in Singapore

Chubb Cyber Enterprise Risk Management

• Best for: Mid-size to large SMEs needing comprehensive coverage
• Coverage range: S$500K-S$25M
• Strengths: Broad coverage, experienced claims team in Asia-Pacific, pre-breach services included (vulnerability scans, employee training modules)
• Claims response: 24/7 incident response hotline with Singapore-based coordinator
• Pricing: Mid-to-premium range. Worth it for the claims experience.

AIG CyberMate

• Best for: SMEs wanting an all-in-one package
• Coverage range: S$250K-S$10M
• Strengths: Pre-built packages for SMEs (simplified underwriting), includes free cyber risk assessment, crisis management included
• Claims response: Dedicated claims handler assigned within 4 hours
• Pricing: Competitive for SMEs. Simplified online application for coverage under S$2M.

Zurich Cyber Insurance

• Best for: Manufacturing and supply chain businesses
• Coverage range: S$500K-S$15M
• Strengths: Strong operational technology (OT) coverage, supply chain cyber incident extension, integrated risk engineering services
• Claims response: Global network with Singapore support
• Pricing: Mid-range. Good value for manufacturing SMEs.

MSIG Cyber Insurance

• Best for: Budget-conscious smaller SMEs
• Coverage range: S$100K-S$5M
• Strengths: Affordable entry-level policies from S$800/year, simple online application, local insurer with strong Singapore presence
• Claims response: Local claims team, standard response times
• Pricing: Among the most affordable for basic coverage.

QBE Cyber Insurance

• Best for: Professional services and tech companies
• Coverage range: S$500K-S$10M
• Strengths: Strong technology errors & omissions (E&O) integration, intellectual property coverage, worldwide coverage including USA (important for SaaS companies)
• Claims response: Specialist technology claims team
• Pricing: Mid-range. Excellent value when combined with professional indemnity.

How to Choose the Right Policy

Step 1: Assess Your Risk

Before shopping for insurance, understand your exposure:

• How much personal data do you hold? Count customer records, employee records, and any third-party data
• What is your most valuable digital asset? Customer database, intellectual property, financial records
• What would a 2-week system outage cost you? Lost revenue, penalties for missed deadlines, customer churn
• Do you comply with PDPA? Non-compliance increases both your risk and your premiums

Step 2: Determine Coverage Needs

As a starting point:

• Minimum coverage: 2x your estimated maximum loss from a breach
• Business interruption: At least 3 months of gross revenue
• Regulatory defence: At least S$250,000 (PDPC investigations are expensive)
• Incident response: At least S$100,000 (forensics alone can cost S$50,000-S$100,000)

Step 3: Compare Policies

Key clauses to check:

• Retroactive date: Does the policy cover breaches that occurred before the policy started but are discovered during the policy term? (Important — most breaches go undetected for months)
• Waiting period for business interruption: 8 hours is standard; some policies have 24-48 hour waiting periods
• Sub-limits: Some coverage areas have lower limits than the headline policy amount. Check sub-limits for ransomware, regulatory fines, and PR costs
• War exclusion: Standard in all policies but increasingly relevant given state-sponsored attacks. Check if the definition is narrow (traditional war) or broad (any state-sponsored attack)
• Known vulnerabilities: Many policies exclude incidents caused by vulnerabilities the insured knew about but failed to patch. Maintain a patching schedule.

Step 4: Improve Your Security to Lower Premiums

Insurers reward good cyber hygiene. Implementing these controls can reduce premiums by 10-30%:

1. Multi-factor authentication (MFA) on all critical systems and email — this alone can reduce premiums by 5-10%
2. Endpoint detection and response (EDR) on all devices
3. Regular backups with offline/air-gapped copies tested monthly
4. Employee security awareness training at least quarterly
5. Incident response plan documented, communicated to key staff, and tested annually
6. Vulnerability scanning and patching within 30 days for critical CVEs

PDPA Breach Costs vs Cyber Insurance Coverage

Understanding the financial impact of a PDPA breach helps justify the insurance investment:

Without Cyber Insurance

• Forensic investigation: S$30,000-S$100,000
• Legal representation for PDPC investigation: S$40,000-S$150,000
• PDPA fine: S$10,000-S$1,000,000
• Customer notification: S$5,000-S$50,000
• Credit monitoring for affected individuals: S$10,000-S$100,000
• PR crisis management: S$20,000-S$80,000
• Business interruption: S$50,000-S$500,000
• Total potential exposure: S$165,000-S$1,980,000

With Cyber Insurance (S$1M Policy, ~S$3,000/year)

• All of the above covered up to policy limits
• Insurer provides pre-vetted incident response vendors (faster, often cheaper)
• Legal team experienced with PDPC process
• Claims team guides you through the entire process
• Your out-of-pocket cost: Policy excess (typically S$5,000-S$25,000)

The ROI is clear: S$3,000/year in premiums to protect against S$165,000-S$2,000,000 in potential exposure.

Common Exclusions to Watch For

Every cyber insurance policy has exclusions. Know these before you buy:

• Prior and pending claims: Incidents you knew about before the policy started
• Intentional acts: Deliberate criminal conduct by company directors or officers
• Unencrypted devices: Some policies reduce or exclude coverage if lost/stolen devices were not encrypted
• Failure to maintain security: If you represented having certain security controls during underwriting but did not actually maintain them
• War and terrorism: Traditional war exclusion, but increasingly includes state-sponsored cyber attacks (ask about the specific definition)
• Infrastructure outage: Power grid failure, internet service provider outage, or cloud provider outage that is not caused by a cyber attack
• Contractual penalties: Penalties arising from breach of contract (vs penalties for breach of regulations)
• Cryptocurrency: Some policies exclude losses involving cryptocurrency, including crypto ransom payments

Action Plan for Singapore SMEs

Immediate (This Week)

1. Conduct a basic cyber risk assessment — identify your most critical data and systems
2. Ensure MFA is enabled on all email accounts and critical business applications
3. Verify your backup system works — test a restore

Short-Term (This Month)

1. Get 3 cyber insurance quotes — use a broker who specialises in cyber insurance
2. Review your PDPA compliance — ensure you have a Data Protection Officer, privacy policy, and breach response plan
3. Implement employee security awareness training

Ongoing

1. Maintain your cyber insurance policy — review coverage annually
2. Test your incident response plan at least annually
3. Keep all systems patched and updated
4. Monitor for breaches using endpoint detection tools

Need help with PDPA compliance before applying for cyber insurance? Read our guides on 10 PDPA Obligations Every Singapore Business Must Follow and Best PDPA Compliance Software for Singapore SMEs. A strong compliance posture will lower your cyber insurance premiums.