What does the Cybersecurity (Amendment) Act 2024 mean for my SME's cyber insurance?

The Answer in 60 Seconds The Cybersecurity (Amendment) Act 2024 (Act 19 of 2024) was passed in Parliament on 7 May 2024, per the CSA press release. Most key provisions commenced on 31 October 2025, including new regulation of third-party-owned Critical Information Infrastructure (CII) and Systems of Temporary Cybersecurity Concern (STCC). CII owners must now notify the Cyber Security Agency (CSA) of incidents within 2 hours of awareness. Provisions covering "Entities of Special Cybersecurity Interest" (Part 3C) and "Major Foundational Digital Infrastructure" service providers (Part 3D) are not yet in force.

The Sourced Detail

The Cybersecurity Act 2018 was Singapore's first dedicated cybersecurity legislation. The 2024 Amendment Act is the first revision since 2018.

Commencement: a phased rollout

Per the Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025 (S 677/2025), published in the Subsidiary Legislation Supplement on 15 October 2025:

In force from 31 October 2025 (sections 2 to 15, 18, 19, 22, 23(b), 24, 25, 28(a) to (g), 29, 31 and 32(1) to (4), (6) and (7)):

  • New Part 3A — third-party-owned CII (3PO CII)
  • Updated Part 3 — provider-owned CII (PO CII), including extraterritorial designation
  • New regime for Systems of Temporary Cybersecurity Concern (STCC)
  • Expanded incident reporting

Not yet in force, per the Hogan Lovells analysis: "certain significant reforms enacted by the 2024 Amendment Act are not part of this 31 October 2025 commencement; this includes Part 3C relating to entities of special cybersecurity interest and Part 3D relating to major foundational digital infrastructure service providers."

What's actually new for CII

Third-party-owned CII (3PO CII). Per the CMS Lawnow analysis, where an essential service provider relies on a CII owned by a third party (e.g., a cloud provider or outsourced infrastructure), the Commissioner of Cybersecurity may now designate the provider (not the owner) as responsible for the third-party CII's cybersecurity. The provider must obtain legally binding commitments from the owner.

Extraterritorial designation. Per section 7 as amended, the Commissioner may now designate a computer or system located wholly outside Singapore as PO CII if it meets the criteria.

Systems of Temporary Cybersecurity Concern (STCC). A new category for systems that are temporarily critical (e.g., vaccine-distribution systems during a pandemic, election systems).

The 2-hour notification window

Per the CSA forms page: "The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of the cybersecurity incident within 2 hours from awareness of an incident by calling the telephone number specified by the Commissioner in the National Cybersecurity Incident Response Framework (NCIRF) document."

The notification scope now also includes incidents in CII supply chains and incidents suspected of being caused by Advanced Persistent Threats (APTs).

The 11 CII sectors

Per CSA's website, the CII sectors are: Energy, Water, Banking and Finance, Healthcare, Land Transport, Maritime, Aviation, Infocomm, Media, Security and Emergency Services, and Government.

Most SMEs are not CII owners. CII designation is targeted at the operators of essential services in these sectors. The 3PO CII regime is what may pull SMEs in indirectly, where they provide infrastructure services to a designated CII operator.

What this means for cyber insurance

(a) Underwriting questions are widening. Insurers are now asking applicants:

  • Are you a CII owner, or do you provide infrastructure to a CII?
  • Have you been notified of designation as a 3PO CII responsible party?
  • Do you have an incident-response plan that meets the 2-hour notification requirement?
  • Do you maintain audit logs sufficient for CSA's inspection regime?

(b) Premium differentiation is sharpening. Per Mordor Intelligence's Cyber Liability Insurance Market in Singapore report, the SG cyber market is forecast to grow from USD 56.72 million in 2025 to USD 94.73 million by 2031 (8.93% CAGR), with standalone covers holding 53.65% market share in 2025 (growing 9.84% CAGR) versus packaged add-ons at 46.35% — a bifurcation reflecting that sophisticated buyers go standalone while first-time SME purchasers lean on packaged add-ons.

(c) Coverage for regulatory defence costs is becoming standard. Modern Singapore cyber wordings typically include defence costs for both PDPA breaches and Cybersecurity Act notifications. But coverage is wording-specific.

What This Means for Your Business

If you're an SME providing IT services to banks, telcos, hospitals or any of the 11 CII sectors, the 3PO CII regime is the most relevant new risk. You may be asked by your customer to commit contractually to (i) information access, (ii) cybersecurity standards, (iii) audits, and (iv) ownership-change notifications.

If you're an SME outside CII sectors, the Cybersecurity Act amendments do not directly create new compliance obligations. But the broader signal is clear: regulator expectations on cyber maturity are rising, and insurers are pricing accordingly.

Questions to Ask Your Adviser

  1. Are any of my customer contracts in CII sectors likely to require 3PO CII commitments from me?
  2. Does my cyber wording cover regulatory defence costs for both PDPA and Cybersecurity Act notifications?
  3. What is my notification-cost limit for forensic, legal and PR support, and is it inside or outside the policy aggregate?
  4. Does my policy require me to notify insurers within a window aligned with the 2-hour CSA window or the 3-day PDPC window?
  5. How does my cyber wording interact with E&O / professional liability for IT vendors?

Related Information

Published 3 May 2026. Source verified 3 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.