The Ins and Outs of Cyber Policies

This article was first published by Asia Insurance Review in August 2025.

To MSIG Singapore’s Mr Jeremy Lian, it is first important to understand the scope of what cyber insurance is designed to cover. Second, he said it is crucial to maintain a clear and detailed timeline of a cyber incident from the moment it is detected, as it could make a difference in ensuring a smooth and timely claims process.

In Singapore, cyber insurance policies tend to come with some exclusions and limitations that policyholders should be aware of, according to MSIG Singapore senior vice president (technical services) Jeremy Lian.

“To begin with, it is important to understand the scope of what cyber insurance is designed to cover. These policies typically focus on intangible losses such as data breaches, business interruption and reputational harm,” said Mr Lian, speaking to Asia Insurance Review.

“They do not extend to physical property damage or personal injury, which are covered under other lines of insurance.”

He also said most cyber insurance policies exclude coverage for war and state-sponsored cyberattacks due to the systemic risks and attribution challenges involved.

Other exclusions and limitations

Deductibles across the cyber insurance market remain high as well, Mr Lian pointed out, saying, “This reflects the significant expenses involved in incident response ranging from forensic investigations and legal counsel to crisis communications.”

He also made sure to highlight that as insurance “is designed to mitigate part of the financial impact following an incident”, policyholders should still invest in strengthening their own cyber defences.

Even when coverage is triggered in the case of an event, he noted insurers may face restrictions on how certain claims are handled, as well.

Citing ransom payments as an example, he said they were subject to “tight regulatory constraints” such as anti-money laundering laws and sanctions regimes. These restrictions mean insurers may not be able to reimburse ransom payments if there is a risk the funds could end up with a sanctioned entity or be linked to terrorist financing, he said.

“Another area where coverage is tightening is social engineering. As impersonation scams and business email compromise become more sophisticated, insurers may cap limits or narrow the terms for these types of claims,” he said.

“These incidents are difficult to verify and prevent, making them a growing concern for underwriters.” He pointed out that insurers are now prioritising “the strength of an organisation’s cyber security posture”, as well.

He said, “Companies with poor security controls may face more restrictive terms or may not be able to secure cover. On the other hand, organisations that demonstrate maturity in their cyber risk management are more likely to secure broader protection and more favourable terms.”

Taken together, these exclusions and limitations highlight the growing importance of cyber governance, he noted.

Ensuring a smooth claim process

In the event of a cyberattack, “particularly in urgent scenarios like ransomware, having the right documentation can make a significant difference in ensuring a smooth and timely claims process”, according to Mr Lian.

He said, “While some cyber insurance policies offer 24/7 access to incident response support, the effectiveness of the claims process often depends on how well the incident is documented by the policyholder.”

As a result, he noted that it is considered best practice for organisations to maintain a clear and detailed timeline of the incident from the moment it is detected.

“This includes recording all actions taken to contain and recover from the attack, preserving forensic reports and keeping a record of all communications related to the incident be it with the attackers, internal teams or external stakeholders,” he said.

To substantiate financial losses, he noted that companies should be prepared to share supporting documentation such as calculations of their lost revenue and additional operating expenses. In addition, he said reports filed with law enforcement or regulatory authorities should also be included.

He said, “All of this would build a detailed picture to quickly resolve the immediate emergency with regards to your computer system and allow swift resolution on matters with regards to financial and third-party indemnity.”

Regulatory environment for cyber policies

When asked if the current regulatory environment in Singapore was supportive for cyber policies, Mr Lian noted that it was broadly so, of the growth of coverage. He also said the country engenders a multi-agency approach by authorities such as the Infocomm Media Development Authority (IMDA) and Monetary Authority of Singapore (MAS), which “tackle the different challenges for each respective sector”.

In particular, he pointed out that MAS has established the Cyber and Technology Resilience Experts (CTREX) Panel, which comprises of global industry thought leaders, experts and practitioners in cyber security and technology resilience.

“This panel advises on emerging risks and has put forth recommendations that are already shaping how financial institutions approach cyber resilience,” he said.

“These include adopting a service-centric view of operational resilience, addressing third-party and open-source software risks, preparing for post-quantum cryptography and enhancing anti-scam measures through AI-driven fraud detection and phishing-resistant authentication.”

He also cited the Model AI Governance Framework for Generative AI, launched by IMDA to set new benchmarks for responsible AI use, as an example. Saying it complemented developments such as the CTREX Panel, Mr Lian highlighted that as AI-related risks become more prominent in underwriting and claims, such frameworks are increasingly relevant to cyber insurers looking to stay ahead of emerging threats.

“These regulatory efforts have not only improved cyber hygiene across industries but also fostered stronger public-private collaboration and heightened awareness of systemic cyber risks and the need for cyber insurance,” he said.

Risk mitigation for insurers

With the pace and complexity of cybercrimes accelerating, Mr Lian pointed out that it is becoming more difficult for insurers to anticipate how the threat landscape will evolve.

He said, “This challenge is compounded by limited claims data on emerging technologies, making it harder to assess risk accurately and price coverage appropriately.”

As a result, he highlighted that many cyber policies are playing what he called “a reactive game of catch-up”, and cited industry kneejerk reactions to exclude widespread events like Log4j and Solarwinds.

“Such reactions, although necessary to mitigate catastrophic losses, often are disruptive and does generate negative sentiments to the adoption of cyber insurance,” he said.

To stay ahead, he suggested insurers consider other methods to mitigate such issues, such as adopting a more agile, data-informed review as often as possible and collaborating closely with the cyber security industry, reinsurers and public bodies to close the gap as regulatory expectations and threat vectors continue to evolve.

The future

Mr Lian expects ransomware to remain a major concern over the coming year.

“Threat actors could evolve their tactics, and with Gen AI in the mix, they are now able to launch more sophisticated, multi-stage attacks,” he said.

“The use of Gen AI is also making social engineering easier to scale and vulnerabilities quicker to exploit.”

At the same time, he believes supply chain attacks becoming more mainstream will push insurers to rethink how they assess ecosystem risk and drive a demand for policies that can better address third-party exposures, not just direct ones.

“What will be interesting is how the industry will be shifting, with a stronger push to embed risk mitigation into the insurance offering itself,” he said.

“Value-added services like employee training and incident response support will become essential, rather than add-ons, in helping clients to stay insurable in a much more complex threat environment.”

Lastly, he forecast more joint efforts between the public and private sectors to tighten cyber defences.

He said, “As AI becomes more embedded in how we operate, there is going to be a real focus on using it responsibly, with the right data controls and governance in place to avoid legal and ethical pitfalls.”