Cyber Liability Single Policy vs Tower Primary + Excess Structure: When Does Tower Make Sense?

The Answer in 60 Seconds

A single Cyber policy has one insurer providing all cover up to the policy limit; simpler administratively, easier claim coordination, but limit-constrained by what one insurer is willing to write. A Cyber tower structures cover in layers: a primary policy writes the first layer (e.g. first US$5M), then excess insurers sit above (US$5M-US$10M layer, US$10M-US$25M layer, etc.). Tower architecture matters because: (1) most insurers cap their per-risk Cyber appetite at a specific level, so tower is the only path to substantial limits (US$25M+ typically requires 3-5+ insurers), (2) excess insurers are typically lower-cost per dollar of cover than primary (since they only respond after lower layers exhaust), and (3) follow-form excess language must align across layers or coverage gaps emerge between layers. For Singapore SMEs, single policy typically appropriate up to S$5M-S$10M; tower considered for S$10M+ exposures. For SMEs with significant cross-border / class-action exposure (e.g. US operations), tower structures common at S$10M-S$25M range.

The Sourced Detail

For Singapore SMEs evaluating Cyber Liability scope, the choice between a single-policy and a tower structure depends on the required limit, the exposure profile, and commercial sophistication. Single policy is the default for most SMEs; a tower becomes relevant as limits increase. Cyber Liability is written by insurers licensed by MAS under the regulatory framework of the Insurance Act 1966, with industry conventions set by the General Insurance Association of Singapore (GIA). The data-breach notification obligations that drive Cyber claim cost are set out in PDPA Section 26D and the PDPC guidance.

The single-policy structure

One insurer writes a single Cyber policy with a defined limit (e.g. S$5M, S$10M, S$25M), defined retentions, cover scope, and exclusions.

Its advantages are simplicity: a single insurer relationship, a single claim-coordination point, and cost efficiency at smaller limits. Its disadvantage is that the limit is capped by what one insurer is willing to write for the risk.

Most SMEs with limits up to S$5M–S$10M use a single policy, and the Singapore market provides single-policy capacity at those levels.

The tower structure

A tower structures the cover in layers:

• Layer 1 (Primary) — the first insurer writes the first layer (e.g. the first S$5M), with the defined cover scope.
• Layer 2 (First Excess) — a second insurer writes the next layer (e.g. "S$5M excess of S$5M" — the next S$5M), following the form of the primary, and responding only after the primary is exhausted.
• Layer 3 and above — further insurers in higher layers, each following the form and responding in turn as the layers below exhaust.

Together the layers make up the total tower (e.g. S$25M in five S$5M layers), coordinated across the insurers.

Its advantages: access to substantial limits no single insurer would write; excess layers that cost less per dollar of cover; and diversification away from dependence on one insurer. Its disadvantages: multi-insurer coordination, follow-form complexity, and claim coordination across layers.

When a tower becomes relevant

A tower becomes relevant where the required limit outgrows single-insurer appetite. The exposure indicators that push limits up:

1. Substantial customer or data exposure — healthcare data, financial data, government contracts, and the class-action exposure that comes with large data volumes.
2. Cross-border exposure — US operations (the class-action environment) and EU operations (GDPR exposure).
3. Industry factors — designation as Critical Information Infrastructure (CII) under the Cybersecurity Act 2018, financial services (MAS regulation), and healthcare (the HCSA framework). The case law on cyber claims can be traced through eLitigation.
4. Commercial customer requirements — major customers may contractually require S$10M–S$25M+.

Follow-form mechanics

In a tower, the excess insurers typically write on a follow-form basis — adopting the primary policy's terms — but the exclusions and endorsements can differ between layers.

The point to confirm is alignment: the definitions, exclusions, notification provisions, and defence-cooperation terms should be consistent across every layer. Where follow-form alignment fails, a coverage gap can open up between layers — a loss the primary covers but an excess layer excludes, or the reverse.

The drop-down feature

Some excess policies include a drop-down provision: if the primary insurer becomes insolvent, the excess layer "drops down" to respond in its place. Without a drop-down provision, an excess layer responds only once the primary limit is exhausted — so a primary insurer's insolvency leaves a gap.

Worked scenarios

• Small Singapore SME (general business, S$5M Cyber) — a single policy, cost-efficient and simple.
• Mid-size Singapore SME with significant data (S$10M Cyber) — a single policy is still viable from major insurers.
• Singapore SME with US operations (S$15M–S$25M Cyber) — a tower is typically relevant, given the class-action exposure and the limits required.
• Singapore SME with healthcare, financial-services, or CII exposure — a tower is commonly used to reach the limits those exposures demand.
• Major established Singapore SME (S$25M–S$50M+) — a tower is essential; that limit is not available from any single insurer.

Tower design considerations

• Layer sizing — layers are typically S$5M–S$10M each, sized to balance insurer appetite against cost.
• Insurer selection — spread the layers across a mix of insurers to avoid concentration, weighing each insurer's claims-handling track record.
• Limit structure — confirm how the aggregate limit, the per-event limit, and defence and notification costs are handled across the tower.

Cost economics

The premium per dollar of cover falls as you move up the tower: the primary layer is the most expensive per dollar, the first excess significantly less, and higher layers progressively less again — because each higher layer is less likely to be reached. This is why, at substantial limits, a tower can be more cost-efficient than stretching a single policy.

Singapore market considerations

Major insurers (AIG, Allianz, Chubb, AXA, Tokio Marine, and others) provide single-policy Cyber capacity in Singapore, with individual insurers writing to S$10M+. Beyond that, the tower market is accessed through specialist brokers.

Operational discipline

A tower needs disciplined coordination: consistent notification protocols across every insurer at claim time, renewal aligned across the layers, and a specialist broker to structure and maintain it.

Comparison summary

Consideration	Single Policy	Tower Structure
Limit availability	Capped by single insurer	Substantial via multiple insurers
Administrative complexity	Lower	Higher
Cost per dollar of cover	Standard	Lower for excess layers
Claim coordination	Single insurer	Multiple insurers
Insolvency risk	Single insurer concentration	Diversified
Typical SME relevance	Up to S$5M-S$10M	S$10M+

Stage-by-stage build

• Small / simple Singapore SME — a single Cyber policy is appropriate.
• Mid-size Singapore SME — a single policy, or a low-layer tower as limits rise.
• Large / sophisticated Singapore SME — a tower is essential, with multi-insurer coordination.
• Cross-border or high-exposure SME — a tower, structured with the relevant foreign-market exposures in mind.

Common Mistakes / What Goes Wrong

1. Selecting a limit without an exposure analysis. Under- or over-insurance.
2. A single policy where a tower would give better economics. Cost inefficiency at scale.
3. A tower without follow-form alignment. Coverage gaps open up between layers.
4. No specialist broker to structure the tower.
5. Single-insurer concentration across the tower. Diversification lost.
6. No drop-down provision. Primary-insurer insolvency leaves a gap.
7. Notification protocols inconsistent across layers.
8. No annual review across all layers. Renewal-coordination problems.
9. Defence-cooperation terms inconsistent between layers.
10. No industry expertise for the specific exposure.

What This Means for Your Business

For Singapore SMEs evaluating Cyber Liability structure:

1. A single policy is appropriate for most SMEs — typically up to S$5M–S$10M.

2. A tower becomes relevant at S$10M+.

3. For US-exposed operations, a tower is commonly essential — the class-action environment drives the limits up.

4. For healthcare, financial-services, and CII exposures, a tower is commonly essential.

5. Engage a specialist broker to structure a tower.

6. Verify follow-form alignment across every layer.

7. Diversify insurers across the layers.

8. Review annually across all layers.

The Cyber tower decision is a function of the exposure profile and the limit required. For most Singapore SMEs a single policy is appropriate; a tower becomes relevant as limits and exposures grow.

Questions to Ask Your Adviser

1. For my exposure profile, what Cyber Liability limit is appropriate?
2. At my required limit, is single policy or tower more efficient?
3. For tower structures, what follow-form provisions matter?
4. For excess layers, what insurers are appropriate?
5. For claim scenarios, how do tower and single policy differ in handling?

Related Information

• Standalone Cyber Insurance vs Cyber Sub-Limit Under PAR: What's the Difference?
• PDPA Section 26D Mandatory Data Breach Notification: The 3-Day Clock Explained
• Our Systems Are Locked and the Attackers Want Bitcoin — What Do I Do Now?

Published 5 May 2026. Source verified 5 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.