The RM 3.2 Million Question:
Does Your Business Have Cyber Insurance, and Is It Enough?
What Malaysian businesses need to know about cyber insurance in 2026 what it covers, what insurers now require before they will issue a policy, and how your security controls determine whether you can get coverage at all.
Insurance Exists for Risks You Cannot Eliminate. Cyber Risk Qualifies.
Over this campaign, we have covered the tools and practices that reduce your risk of a cyberattack: layered endpoint security, multi-factor authentication, staff training, tested backup systems, and network segmentation. Every one of these measures is worth implementing. And every one of them still leaves a residual risk. Attackers are persistent, methods evolve, and no security programme is perfectly impenetrable.
This is where cyber insurance enters the picture. Not as a substitute for security, but as the financial safety net that covers the damage when security is not enough. The average cost of a data breach in Malaysia is RM 3.2 million, according to CyberSecurity Malaysia’s 2025 Annual Report. That figure covers ransom demands, downtime, IT forensics, legal costs, PDPA regulatory exposure, and reputational damage. For most Malaysian SMEs, an uninsured breach of that magnitude is existential.
But in 2026, cyber insurance comes with a significant caveat that most Malaysian business owners do not know: insurers are now treating the application process as a security audit. Businesses that cannot demonstrate specific technical controls are being denied coverage, offered limited policies with high exclusions, or charged premiums that price them out of meaningful protection. This post explains what the controls are, what coverage you should be looking for, and how your security posture and your insurability are now directly connected.
THE STATE OF CYBER INSURANCE IN MALAYSIA IN 2026
The global cyber insurance market reached an estimated USD 16.3 billion in premiums in 2025, nearly tripling in five years, according to Munich Re, cited in Falconer Security’s February 2026 analysis. In Malaysia, cyber insurance is a growing but still underpenetrated category. Etiqa and Allianz Malaysia offer cyber insurance tailored to local business needs, including coverage for ransomware, data loss, PDPA regulatory fines, and third-party liability. AIG Malaysia offers the CyberEdge solution with 24/7 breach response access.
Source: biztechcommunity.com and aig.my
Malaysian businesses handling customer personal data face real financial exposure under the PDPA 2010. Under current provisions, the Department of Personal Data Protection (JPDP) can impose fines of up to RM 500,000 and imprisonment of up to three years for non-compliance. Proposed PDPA amendments under review in 2026 would introduce mandatory breach notification requirements and increase penalties significantly. For businesses subject to BNM RMiT or the Cybersecurity Act 2024, additional obligations apply. Cyber insurance that specifically covers PDPA regulatory fines and third-party liability is increasingly relevant as enforcement matures.
Source: contingent.com.my and biztechcommunity.com
RM3.2M
Average cost of a data breach in Malaysia, 2025
CyberSecurity Malaysia Annual Report 2025
USD16.3B
82%
of denied claims involved organisations without MFA
Coalition 2024 claims data, via MoneyGeek 2026
What a Business Cyber Insurance Policy Covers
A well-structured cyber insurance policy for a Malaysian SME should cover both first-party costs (your own losses) and third-party liability (claims from customers, partners, and regulators). The table below summarises the main coverage categories.
Source: biztechcommunity.com and moneygeek.com
“In 2019, you could get a cyber insurance policy by answering a 10-question form. In 2026, underwriters are deploying their own security scanners against your external attack surface, requiring evidence of specific technical controls, and writing coverage exclusions that invalidate claims if you misrepresented your security posture. This is not a compliance exercise — it is a technical audit with financial consequences.”
Falconer Security / SecureBin.ai: Cyber Insurance Requirements 2026 | Source: securebin.ai
The 8 Security Controls Insurers Now Require in 2026
Based on analysis of application forms from the top cyber insurers globally including Coalition, Beazley, Chubb, AIG, and others the following eight controls are now effectively universal requirements for any business seeking meaningful cyber insurance coverage in 2026. Businesses missing these controls face denied applications, higher premiums, reduced coverage limits, or denied claims after a breach.
Sources: securebin.ai, mis-solutions.com, and falconersecurity.com
1. Multi-Factor Authentication (MFA) on All Critical Accounts
Why insurers require it: Coalition’s 2024 claims data shows 82% of denied claims involved organisations without MFA. MFA is now the single control most likely to determine whether you can get coverage at all. Microsoft reports that MFA blocks more than 99.2% of account compromise attacks.
What they look for: MFA enforced on email, remote access (VPN), administrative accounts, cloud platforms, and financial systems. Insurers will ask specifically whether senior executives and IT administrators are included these are the most targeted accounts.
BigBand service: BigBand implements MFA across all critical systems as part of our Endpoint Security and Advanced Threat Detection services. bigband.net.my/bigband-endpoint-security
2. Endpoint Detection and Response (EDR) on All Devices
Why insurers require it: Traditional antivirus is insufficient for 2026 threats. Insurers now require behavioural monitoring that detects threats in real time across every device on the network. EDR provides the audit trail insurers need to assess what happened during a breach.
What they look for: EDR deployed on all laptops, desktops, and servers. Coverage of remote work devices and, for manufacturing clients, engineering workstations. Evidence that alerts are monitored and acted upon, not simply generated.
BigBand service: BigBand’s Advanced Threat Detection service provides EDR with 24/7 monitoring across your entire device estate. bigband.net.my/bigband-advanced-threat-detection
3. Encrypted, Immutable, and Tested Backups (Isolated from the Main Network)
Why insurers require it: Ransomware attackers deliberately destroy backup systems before encrypting primary data. Insurers require proof that backups cannot be deleted or altered by ransomware, and that they have actually been tested to confirm data can be recovered.
What they look for: Offsite or cloud backups that are immutable (cannot be overwritten or deleted). Evidence of regular backup testing not just backup scheduling. Documentation of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets and how they are met.
BigBand service: BigBand’s Backup as a Service (BaaS) delivers encrypted, immutable, offsite backups with scheduled restore testing and documented RPO/RTO. bigband.net.my/bigband-backup-as-a-service
4. Network Segmentation Between Critical Systems
Why insurers require it: Flat networks allow attackers who enter through a low-security device to move freely to high-value systems. Insurers require evidence that IT systems, OT systems, and backup infrastructure are isolated from each other.
What they look for: Documented network architecture showing segmentation. Firewalled boundaries between user networks, server environments, and administrative systems. Separate segment for backup systems so that ransomware cannot reach them from the production environment.
BigBand service: BigBand’s Next-Generation Firewall with deep packet inspection and network segmentation architecture is designed to meet this requirement. bigband.net.my/bigband-anti-ransomware
5. A Documented and Tested Incident Response Plan
Why insurers require it: IBM’s 2025 Cost of a Data Breach report found that organisations with a tested incident response plan reduce breach costs by approximately USD 250,000 compared to those without one. Insurers require proof the plan exists and has been exercised.
What they look for: A written plan naming specific personnel, external resources (IT forensics firm, legal counsel), and step-by-step procedures. Evidence of a tabletop exercise within the last 12 months. The plan must cover identification, containment, eradication, recovery, and post-incident review.
BigBand service: BigBand works with clients to develop and test incident response plans as part of our managed security advisory services. Contact BigBand to discuss.
6. Privileged Access Management and Least-Privilege Principles
Why insurers require it: Attackers that compromise an account with administrative privileges can move through an entire network and disable security controls. Insurers require evidence that admin-level access is restricted to those who genuinely need it.
What they look for: Documentation of who holds administrative credentials and why. Separation of day-to-day user accounts from administrative accounts, even for IT staff. Audit logs showing privileged access usage. Controls preventing privilege escalation by standard users.
BigBand service: BigBand’s security advisory services include access control review and implementation as part of endpoint security engagements. bigband.net.my/bigband-endpoint-security
7. Patching and Vulnerability Management (Within 30 Days for Critical CVEs)
Why insurers require it: Unpatched systems are the second most common initial attack vector after phishing. Some insurers now require patches for actively exploited vulnerabilities within 14 days. Running end-of-life software is a red flag that can result in coverage exclusions.
What they look for: A documented patch management policy. Evidence of regular patching cycles. No end-of-life operating systems or unsupported software in production environments. For insurers using external scanners, your attack surface must be clean of known critical vulnerabilities.
BigBand service: BigBand’s managed security services include vulnerability scanning and patch management oversight as part of ongoing security monitoring engagements. Contact BigBand to discuss.
8. Email Security Controls (SPF, DKIM, DMARC) and Anti-Phishing Protection
Why insurers require it: Phishing remains the most common initial attack vector. The FBI IC3 2024 report identified phishing and business email compromise (BEC) as causing approximately USD 2.8 billion in losses. Insurers require proof that email authentication and advanced threat protection are configured.
What they look for: SPF, DKIM, and DMARC configured and enforced at DMARC p=reject or p=quarantine. Advanced email threat protection that scans attachments and links. Evidence that email security is actively managed, not set-and-forget.
BigBand service: BigBand’s Next-Generation Firewall and Advanced Threat Detection services include email security architecture and anti-phishing controls. bigband.net.my/bigband-advanced-threat-detection
Why PDPA Compliance and Cyber Insurance Are Now Inseparable
Malaysia’s PDPA 2010 creates direct financial exposure for businesses that suffer a breach affecting personal data. Under current provisions, fines of up to RM 500,000 per offence are possible. Under proposed PDPA amendments being reviewed in 2026, mandatory breach notification requirements and increased penalties are on the table. For businesses in financial services, the BNM RMiT framework and for Critical Information Infrastructure operators, the Cybersecurity Act 2024 create additional obligations with their own penalty structures.
The connection to cyber insurance is direct: most of these fines and the legal costs of defending against regulatory action are coverable under a properly structured cyber insurance policy that includes regulatory and legal liability cover. Without the insurance, the regulatory exposure sits entirely on the business owner’s balance sheet.
The connection to security controls is equally direct: a business cannot demonstrate to a PDPA enforcement authority that it took ‘reasonable steps’ to protect personal data if it cannot demonstrate that basic security controls MFA, endpoint protection, patching, secure backup were in place. The same controls that satisfy an insurance underwriter satisfy a regulatory auditor. Building the security programme and building the insurance case are the same activity.
Source: contingent.com.my
YOUR CYBER INSURANCE READINESS SELF-CHECK
Review your current security posture against each of the eight controls above. For each one, ask: do we have this in place? Can we prove it? When was it last tested?
7 to 8 controls demonstrable: You are in a strong position to apply for comprehensive cyber insurance. Focus on documentation and ensuring your evidence is current and well-organised before approaching insurers.
4 to 6 controls demonstrable: You can likely obtain coverage, but may face higher premiums, sub-limits on ransomware, or exclusions for gaps. Prioritise MFA, EDR, and immutable backups first these three are the most heavily weighted by underwriters.
Fewer than 4 controls demonstrable: Insurers are likely to either decline coverage or offer a very limited policy. Before approaching insurers, address the most critical gaps especially MFA, which Coalition data shows is the single most decisive control for coverage eligibility.
A Final Word
This is the tenth post in our BigBand Insights – SMI/SME Series. Every post in this series has been written with the same intent: to give you genuinely useful information that helps you make better decisions about your business’s digital infrastructure whether you work with BigBand or not.
We encourage you to review your cyber insurance readiness with your current IT adviser using the eight-control framework above. Ask your insurer which controls they require and whether your current posture would qualify for the coverage limits you actually need. Ask whether PDPA regulatory fines and mandatory notification costs are included in your policy. These are the questions that determine whether your insurance will actually pay out when you need it.
If you would like a second perspective on your security posture, or if you are evaluating whether your current controls would satisfy an insurer’s underwriting requirements, BigBand is happy to offer a no-obligation conversation. We are not here to sell you insurance. We are here to help make sure that when you apply for it, your business qualifies for the coverage it genuinely needs.
bigband.net.my/bigband-contact | Office: +60 3 5879 3933 | email: [email protected]