By Clarice Foo, Senior Media & Communications Executive, Straits Interactive
In the corporate race to hop on the AI bandwagon, data privacy risks grow more complex and costly. One recurring question rings: “What happens when a data breach occurs?”
We speak to Andrew Lai, Co-founder and Executive Director of Anapi, to share how enterprises can mitigate the cost of a data breach and fortify against vulnerabilities. With over 13 years in the insurance and finance industry, Andrew brings a valuable blend of financial acumen and deep sectoral insight. His career has spanned advising retail, fintech and blockchain clients on risk management.
In this interview, Andrew offers a peek behind the curtain into what happens when a data breach strikes - from how insurance policies kick-in, to the advisory role a broker plays in crisis response. We also talk about what Small and Medium-sized Enterprises (SMEs) can do to stay protected against digital threats, and why cyber insurance is becoming important in a compliance-conscious era.
Q. Could you briefly introduce yourself and your current role at Anapi?
I’m Andrew Lai, Co-founder and Executive Director of Anapi, a Singapore-based specialty insurance broker. We focus on providing tailored insurance solutions, including cyber insurance, for entrepreneurs, startups, investors and industry associations in fintech and technology sectors.
Q. With your experience in risk management and corporate insurance, which sectors, in your opinion, are most vulnerable to data breaches in Singapore?
There are some common sectors that often experience breaches in Singapore such as non-profits and associations. But breaches are also starting to hit larger SMEs in the retail space and those who provide services to Multinational Corporations (MNCs).
Q. From an insurance perspective, what are some common vulnerabilities/lapses that lead to breaches in the industries you’ve worked with?
Common vulnerabilities include unsecured remote access, lack of Multi-factor Authentication (MFA) protection and usage of outdated and unpatched software. These are common triggers for potentially very large and costly breaches.
We also noticed that the areas hackers normally attack are those not sitting directly within the insured’s own network, such as social media accounts or third-party platforms. These tend not to be given as much security attention as the insured’s internal systems. Although being compromised on external platforms might not lead to a serious breach of personal data, they are vulnerable too and any breach will incur costs for the insured.
Q. How critical is cyber insurance for companies today, especially in sectors like fintech and property?
In fintech, cyber insurance is often a mandatory contractual requirement to work with larger financial institutions. When working with such large clients for the first time, one might make the mistake of waiting until this is requested, before taking action. By then, the insurance buying process becomes rushed and limits the insured’s bandwidth to negotiate more favourable terms. It is sometimes smarter to buy coverage early when the risk is low, then scale up as required later to get better pricing and terms.
For organisations in the property sector, the value of cyber insurance extends beyond protecting the insured against a Personal Data Protection Act (PDPA) breach. It also helps reduce loss of trust from customers and partners, and covers additional post-breach damage control expenses, which can be more costly than regulatory fines.
Beyond cushioning financial impact, cyber insurance also plays a role in strengthening an organisation’s overall data protection posture and cyber resilience. The underwriting process is a good way to check if you have any gaps in your security plan. Too many “No”s is an indication that there are probably critical gaps to be addressed.
Q. When an organisation applies for cyber insurance, what are insurers typically looking for in terms of cybersecurity/data protection hygiene and risk posture?
When assessing a company’s eligibility for cyber insurance, insurers typically look for evidence of strong cybersecurity hygiene and risk posture. Most insurers now expect organisations to have MFA enabled, especially for access to corporate emails and remote network connections, as third-party remote access continues to be a common vector for breaches.
Endpoint Detection and Response (EDR) solutions are also considered a baseline requirement, as they provide real-time monitoring and can contain threats before they spread. In addition, having robust data backup and encryption protocols are critical, especially for SMEs, to ensure that sensitive data can be securely stored and quickly restored in the event of a breach or ransomware attack.
Q. Could you break down what cyber insurance typically covers, and how it helps organisations manage the financial and reputational fallout of a data breach?
There are two parts to this: first-party costs and third-party costs.
First-party costs are those incurred directly by the insured organisation. These include expenses related to incident investigation and recovery, public relations and crisis communication, notification to affected data subjects, payment of ransom (if applicable), business interruption losses, and any additional expenses needed to restore operations.
Third-party costs are those that the insured owes third parties in the aftermath of the breach. These often include legal defence costs, settlements from lawsuits, regulatory investigations, and potential fines.
One of the key value-adds of cyber insurance isn’t just the financial coverage, but the access to a panel of experienced experts in areas such as regulations, IT and Public Relations who can be deployed on short notice by the insurance company to help contain the breach, guide the response, and protect the organisation’s reputation.
In addition, many insurers now offer pre-breach services, such as vulnerability scans, discounts on cybersecurity vendors, and crisis simulation workshops. These services help clients strengthen their security posture proactively and prepare for potential incidents before they happen.
Q. When a data breach occurs, what does a typical response look like from an insurance broker’s perspective?
Data breaches typically happen over weekends or late at night, when organisations may be least alert. As insurance brokers, our first role is to help the insured stay calm and focused. We quickly review their policy coverage with them and guide how to frame and report the incident to the insurer to ensure a prompt and effective response from them.
We also act as the liaison between the insured and the insurer to ensure there’s no miscommunication and that the insurer fully understands the insured’s situation and priorities. As the situation stabilises after the first few crucial days post-breach, we continue to support the insured by facilitating smooth communication with the insurer and advising the insured how to make full use of their coverage to minimise both financial and reputational impact.
Q. With the advent of AI, what are some new risks emerging for Singaporean companies and how are insurers adapting the coverage offered or risk assessments in response?
One of the most significant emerging risks for Singaporean companies is the increased sophistication of cybercrime. AI can be used to automate and personalise attacks such as phishing or social engineering, making them harder to detect, especially in organisations with globally distributed teams.
While we have yet to see how risk assessments and coverage offerings will be adapting in response in Singapore, commercial insurers will continue to cover financial losses from ransomware attacks, data breaches and regulatory fines/penalties (where insurable).
For clients, it’s a good time to re-evaluate their existing policies and consider adding crime coverage where budget allows, as traditional cyber insurance may not fully cover all types of AI-driven fraud.
Q. As data protection laws & AI regulations evolve locally, regionally and globally, how can Singaporean companies stay compliant and keep their risk exposure low?
A good starting point is to engage with vendors and specialists in the data privacy and cybersecurity space to learn more about what’s going on in Asia. There are plenty of outsourced DPOs, cyber security vendors and compliance specialists in the market who can offer valuable insights. Though, committing to more in-depth consultations tailored to your organisation’s specific risk profile will likely incur a cost.
Ideally, companies should build in-house capabilities comprising a data protection office and cybersecurity team who understand the organisation’s internal data flows and stay up-to-date on regulatory changes. But acquiring and sustaining such an operation may not be feasible for SMEs due to resource constraints.
As such, a practical first step for SMEs would be appointing at least one DPO with a strong IT or legal background. This role should be supported with internal (and interdepartmental) buy-in, budget for essential training, selective engagement of external expertise, and access to relevant information. This allows the company to maintain a reasonable compliance baseline while scaling up over time.
With Data Governance being no longer optional, even for smaller companies, resourcefulness and strategic prioritisation must step in where time and money are limited.
Where a single breach can compromise systems and trust, investing in one’s cybersecurity posture today doesn’t just lower premiums. It builds a culture of proactive breach prevention and that pays dividends far beyond the boardroom. Evidently, Andrew Lai’s insights show us that mitigating breaches boils down to preparation.
If you’d like to hear more insights from Andrew, catch him at our upcoming webinar on 23 May, 2025, Data Breaches in the Generative AI Era – What Your Real Estate Agency Needs to Know, where we’ll take a closer look at the intersection of AI, cybersecurity and regulatory readiness for the property industry.
This article was originally published on 13 Apr at the Governance Age.
