The Answer in 60 Seconds

Many Singapore SMEs hold a small "Cyber" sub-limit (typically S$50,000 to S$250,000) as part of their Property All Risks (PAR) or business package policy. Standalone Cyber insurance is a dedicated policy with materially broader cover — typical limits S$1M to S$10M+, with first-party (your costs) and third-party (claims against you) sections, plus access to insurer panel forensics, legal, breach counsel, and PR. The PAR sub-limit responds primarily to physical damage caused by cyber events; standalone Cyber responds to the full incident lifecycle including business interruption, data breach response, ransomware payment (where covered), regulatory defence, and third-party liability. Post-2020, most PAR policies expressly exclude cyber events under what's commonly called the "cyber exclusion clause" or "CL380 Cyber Exclusion" derivative — making the PAR sub-limit a narrow add-back, not standalone protection.

The Sourced Detail

This is one of the highest-impact insurance miscalibrations in the Singapore SME market. Founders see "Cyber" as a line item on the property package, assume it's covered, and discover at incident time that the sub-limit covers maybe one quarter of the response cost — if it responds at all.

Why PAR policies have cyber exclusions in the first place

After significant losses from major cyber incidents (NotPetya 2017, WannaCry 2017, SolarWinds 2020), the global insurance market repriced cyber risk. The Lloyd's Market Association issued model exclusion clauses (notably the Lloyd's CL380 / LMA5400 series) that property insurers have widely adopted for non-marine and marine wordings.

The standard exclusion language reads (paraphrased from typical Singapore PAR wordings):

"This Policy does not cover loss, damage, liability, cost, or expense directly or indirectly caused by, contributed to by, resulting from, or arising out of the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus, computer process, or any other electronic system."

The exclusion typically applies regardless of whether the cyber event is the proximate cause or a contributing cause. Some wordings carve back specific perils (e.g. fire resulting from a cyber event remains covered as fire damage); others apply the exclusion broadly.

What a typical PAR Cyber sub-limit actually covers

For SMEs that have a small Cyber section within their PAR or business package policy, the cover is typically:

  • Limited to physical damage caused by cyber events (e.g. data centre fire triggered by malware) — the carve-back from the broader cyber exclusion
  • First-party costs only in many wordings — costs you incur, not third-party claims
  • Sub-limit of S$50,000 to S$250,000 — far below typical incident response cost
  • No incident response panel — you call your IT vendor, who is unlikely to be experienced in regulatory notification or breach counsel
  • No specialist forensics — meaning evidence preservation may be amateur
  • No third-party liability — claims by affected individuals or business partners are uncovered
  • Often: no ransomware coverage — extortion payments commonly excluded
  • Often: no business interruption coverage — downtime cost is uncovered

What standalone Cyber insurance covers

A dedicated Cyber policy is structured around the modern incident lifecycle. Standard sections:

First-party cover (your costs):

  • Forensic investigation costs
  • Legal advice on regulatory obligations (PDPA, sectoral regulations)
  • Breach notification costs (PDPC, affected individuals)
  • Credit monitoring for affected individuals
  • Public relations / crisis communications
  • Ransomware extortion payment (subject to sanctions screening and policy conditions)
  • System restoration costs
  • Business interruption from cyber events (lost revenue during downtime)
  • Contingent business interruption (when your supplier is hit)
  • Data restoration and reconstruction costs

Third-party cover (claims against you):

  • Privacy and data breach liability
  • Network security liability
  • Defamation and content injury (some policies)
  • Regulatory investigations and proceedings
  • Payment Card Industry (PCI) fines and assessments

Service access:

  • 24/7 incident hotline
  • Pre-vetted panel forensics (CrowdStrike, Mandiant, Kroll, etc.)
  • Pre-vetted panel legal and breach counsel
  • Pre-vetted panel PR
  • Threat intelligence and post-incident remediation guidance

The dollar value of the services accessed via panel can exceed the dollar value of the indemnity payment — for many SMEs, this is the primary reason to hold standalone Cyber.

Limit and pricing comparisons

PAR sub-limit:

  • Typical limit: S$50,000–S$250,000
  • Premium impact: usually nominal (often included as standard or marginal extension)
  • Indicates: minimal cover; not designed for material incidents

Standalone Cyber for SMEs:

  • Typical limits: S$1M–S$5M for SME (higher available)
  • Annual premium: varies widely with revenue, sector, security posture, prior claims; obtain comparative quotes
  • Includes panel access and incident response infrastructure

The premium difference between PAR sub-limit and standalone Cyber is significant in absolute terms but proportionate to the exposure difference. A S$2M Cyber policy is not "20× more expensive" than a S$100k PAR sub-limit — the rating algorithms and structures differ.

Industries where the gap matters most

For these sectors, relying on a PAR sub-limit is a known structural under-insurance:

  1. SaaS and software companies — customer data exposure plus business interruption
  2. Healthcare — patient data with PDPA significant-harm category implications
  3. Financial services and fintech — MAS regulatory expectations plus PDPA
  4. E-commerce and retail with payment processing — PCI scope plus customer data
  5. Professional services with sensitive client data — law, accounting, financial planning, HR consulting
  6. Manufacturers with operational technology (OT) — production line stoppage from cyber events
  7. Logistics and supply chain — system outage cascading to operational disruption
  8. Schools and education providers — minor-related personal data with elevated PDPA significance

The Cybersecurity Act 2024 angle

The Cybersecurity (Amendment) Act 2024 — with key provisions in force from 31 October 2025 — expanded cyber incident reporting requirements for owners of Critical Information Infrastructure (CII). For non-CII SMEs, the headline obligation remains the PDPA Section 26D 3-day breach notification. For CII operators, the new framework adds 2-hour reporting obligations.

The insurance implications: Cyber policies have repriced and re-scoped to reflect the regulatory landscape. Cover for regulatory investigation, defence, and (where insurable) penalties is increasingly differentiated between policies — making a comparative read more important than ever.

When the PAR sub-limit might actually be enough

For a narrow set of SMEs, the PAR sub-limit can be operationally sufficient:

  • Single-employee businesses with no customer personal data
  • Brick-and-mortar retail with minimal digital footprint
  • Pre-revenue startups with no production systems
  • Businesses where the entire IT estate is third-party SaaS and the SaaS providers carry the breach risk under contract

For these profiles, the cost of standalone Cyber may exceed the realistic exposure. But the threshold at which standalone becomes proportionate is low — roughly any SME with employee data, customer data, or operational systems beyond email and basic office software.

Common Mistakes / What Goes Wrong

  1. Reading "Cyber" on the PAR schedule and assuming it's adequate. It's a derivative carve-back from the cyber exclusion, not a standalone product.
  2. Treating IT support contract as cyber insurance. Your IT vendor fixes systems; they don't pay PDPC fines or third-party damages.
  3. Calling the IT vendor before the cyber insurer. Burns panel-forensics cover under standalone Cyber.
  4. Buying standalone Cyber but not understanding the panel. The panel is the cover. If you don't use them, you may not be reimbursed.
  5. Letting Cyber lapse between policies. Cyber is claims-made — late-notified incidents from prior periods may be uncovered.
  6. Ignoring retroactive dates. Pre-policy breaches (often unknown when the policy is bought) may be excluded entirely.
  7. Assuming Cyber covers all data breaches. Some policies exclude employee data breaches, social engineering fraud, or specific incident types — read the wording.

What This Means for Your Business

For Singapore SMEs evaluating cyber cover:

  1. Read your current PAR / business package wording. Find the cyber exclusion clause and the Cyber section sub-limit. This is your current baseline.

  2. Map your exposure. Customer data records held, employee data, payment processing scope, system criticality, downtime cost per day.

  3. Get a standalone Cyber quote. Not as a "should I switch" exercise but as a comparison reference. The gap between what the PAR covers and what standalone covers becomes visible only in side-by-side review.

  4. Assess panel access. For SMEs without dedicated security teams, the panel access alone can justify the premium — you cannot easily access top-tier forensics or breach counsel on a one-off basis at incident time.

  5. Review at every business change. New product line, new customer base, new geographic market, M&A, regulatory licence — all change cyber exposure.

The PAR cyber sub-limit was sufficient when "cyber" meant a workstation virus. The current threat landscape (ransomware, supply chain attacks, regulatory enforcement, third-party class actions) has outgrown the sub-limit's design. For most SMEs above the smallest tier, standalone Cyber is the appropriate baseline; the PAR sub-limit becomes a marginal add-back, not the primary protection.

Questions to Ask Your Adviser

  1. What does my current PAR policy say about cyber events — is there an exclusion, a carve-back sub-limit, or both?
  2. What is the sub-limit on the PAR Cyber section, and what does it actually respond to (physical damage only, first-party costs, third-party liability)?
  3. For my business profile, what would standalone Cyber cost, and what limit and panel would it provide?
  4. Does the Cyber policy cover ransomware payment, regulatory investigation defence, business interruption, and contingent BI?
  5. What is the retroactive date, and does it provide cover for breaches that may have occurred but not yet been discovered?

Related Information

Published 4 May 2026. Source verified 4 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.