Ransomware Insurance Singapore

Last reviewed: 2026-06-03.

Ransomware cover is one component of a standard Singapore cyber-insurance policy. It pays for the costs of responding to an extortion event — typically including negotiation, ransom payment (where legally permissible), data restoration, business interruption, and forensic investigation. The cover and its sublimits vary materially by insurer.

What ransomware cover typically includes

• Cyber extortion / ransom payment. The ransom itself, where payment is lawful under Singapore and applicable sanctions law (US OFAC, UK OFSI, EU rules). Subject to insurer pre-approval — insurers will not pay if you have not engaged their nominated negotiator first.
• Negotiation services. Specialist negotiators (typically panel-appointed by the insurer) who manage the communication with the threat actor. Their fees are usually first-dollar covered.
• Forensic investigation. Determining what happened, what was exfiltrated, what remains compromised. Critical because many ransomware events also involve data theft.
• Data restoration. Engineering costs to restore systems from backup, rebuild domain controllers, recover databases. Often the largest single component if backups are partially compromised.
• Business interruption. Income lost while systems are unavailable, plus extra expenses to maintain critical operations (cloud failover, manual workarounds, overtime). Typically subject to a 6–24 hour waiting period and a defined indemnity period.
• PDPC notification + regulatory defence. Many ransomware events involve data exfiltration that triggers PDPA notification — see our 3-day rule guide.
• Public-relations / crisis communication. External PR firm engaged to manage customer + media communication.

Common exclusions to watch for

• War / state-sponsored attacks. The 2022 Lloyd's war-exclusion clauses are now embedded in most Singapore cyber wordings. Insurers may decline cover where attribution to a nation-state actor is established.
• Sanctions. Ransom payments to sanctioned entities are excluded by law. The insurer's sanctions screening determines whether payment is even possible.
• Pre-existing vulnerabilities. If the threat actor exploited a CVE you knew about and failed to patch, cover may be reduced or declined.
• Bricked devices. Cover for hardware destroyed by malware (rather than restored from backup) varies; check the policy.
• Reputational damage. Lost future revenue from reputational damage is typically not recoverable — only BI during the outage period.

Sublimits to look at on every quote

The aggregate policy limit is rarely the binding constraint. Sublimits are. Common ones for ransomware:

• Ransom payment sublimit — often a percentage of the aggregate
• BI waiting period — 6, 12 or 24 hours
• BI indemnity period — 90 days, 180 days, or 12 months
• Forensic investigation sublimit
• Crisis communication / PR sublimit
• Contingent BI for vendor outages — often a separate (smaller) sublimit

What insurers will check at underwriting

• MFA on all admin and remote-access accounts (privileged + email). In 2026, most insurers will decline to quote without this.
• Backup posture — separation of backups from the network (offline / immutable), most-recent successful restore test
• EDR/MDR on all endpoints
• Security awareness training — at least annual, with phishing simulations
• Patch cadence — particularly for internet-facing systems
• Incident response plan — written, tabletop-tested, with named contacts

The negotiation reality

If you suffer a ransomware event, the most important first calls are (in order):

1. Your cyber insurer's incident-response hotline (your policy will name it)
2. Outside legal counsel (insurer will direct)
3. The insurer-nominated forensic firm
4. The insurer-nominated ransom negotiator (if you may pay)

Do not communicate with the threat actor yourself, do not pay without insurer + sanctions clearance, and do not wipe affected systems — preserving evidence is required for the claim.

How much cover do you need?

The right ransomware sublimit depends on the cost of restoring your worst-case affected systems plus your BI exposure. Insurers structure ransomware sublimits as a fraction of the aggregate limit — smaller policies usually allow ransomware to consume the full aggregate, larger policies cap it at a lower percentage to preserve aggregate for third-party liability claims.

Get real quote-level limits from our quote form — pricing varies too much by sector and security posture for table values to be useful.

Related guides

• Data-breach response plan — the first 72 hours
• What a Singapore data breach actually costs
• PDPA 3-day notification rule
• Cyber liability insurance Singapore
• Compare 8 Singapore cyber insurers