Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Hong Kong
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Cyber Space: Global insights on cyber and data risk for insurers

03 Jun 2025 APAC region 10 min read

Issue 3, June 2025. Navigating the wave of increased cyber regulation in APAC

The Asia-Pacific (“APAC”) region is riding a wave of increased cyber regulation, with Singapore, Malaysia, and Hong Kong each rolling out significant legislative changes to strengthen cyber resilience and accountability. This article explores how these legislative developments are reshaping the compliance landscape for organisations, especially those operating critical infrastructure or digital services.

The common thread running through these developments is a clear move towards more robust regulatory oversight. Organisations now face stricter obligations, including more frequent risk assessments, mandatory incident reporting within tight timeframes, and the prospect of steeper financial penalties for non-compliance. These changes are not just about ticking boxes; they are designed to foster a culture of proactive risk management and greater transparency in the face of evolving cyber threats.

For the cyber insurance market, this regulatory momentum signals both challenge and opportunity. As businesses work to meet higher compliance standards, demand for cyber insurance is expected to grow. Insurers and their clients alike will need to stay agile, ensuring that risk management and insurance solutions keep pace with the region’s fast-evolving legal landscape.

Singapore – Amendments to Singapore’s Cybersecurity Act 2018 (CA 2018)

The Cybersecurity (Amendment) Act 2024 (“Amendment Act”), which has been passed and is expected to come into operation in 2025, empowers the Commissioner of Cybersecurity (“Commissioner”) to designate computers and computer systems wholly outside Singapore as provider-owned critical information infrastructure (“PO CII”), ensuring providers cannot avoid duties merely by completely offshoring CII.

The Amendment Act also introduces the concept of third-party-owned critical information infrastructure (“3P CII”), to deal with the situations where the owner outsources the provision of essential services to a third-party provider located within or outside Singapore. The introduction of 3P CII ensures that both the provider and owner bear certain responsibilities and duties. For instance, 3P CII owners must legally commit to provide updates on material changes and ownership changes, inform the provider about prescribed cybersecurity incidents, and conduct audits once every 2 years and cybersecurity risk assessments once a year.

The Amendment Act also introduces frameworks for certain entities or systems, namely (a) Systems of Temporary Cybersecurity Concern (“STCCs”) which are high risk computer systems due to temporary events; (b) Entities of Special Cybersecurity Interest (“ESCI”) which are high risk entities due to their possession of sensitive information or performance of national functions; and (c) Foundational Digital Infrastructure (“FDI”) providers which are companies providing digital infrastructure services such as cloud computing or data centre facility services. STCCs, ESCIs and major FDI providers are subject to various duties and responsibilities, including a duty to report prescribed cybersecurity incidents. Further details, such as notification timelines and information required, will be released in subsidiary legislation.

The Amendment Act provides for various sanctions including maximum fines ranging from SGD 5,000 to SGD 200,000 (approx. USD 3,800 to USD 152,200) or 10% of the company’s annual turnover in Singapore, whichever is higher, and jail terms that have upper limits ranging 6 months to 2 years.

Malaysia – Introduction of the Cyber Security Act 2024 (CSA)

The CSA, which came into force in 2024, sets out the national cyber security compliance framework and is enforced by the Chief Executive of the National Cyber Security Agency (“Chief Executive”). The CSA applies extraterritorially to actions by any person outside Malaysia relating to national critical information infrastructure (“NCII”) that is wholly or partly in Malaysia. NCII entities must comply with various requirements and requests, such as (a) directions by the Chief Executive; (b) information requests by NCII sector leads; (c) measures, standards or processes under applicable codes of practice; and (d) notification requirements.

Regarding notification, an NCII entity must notify the Chief Executive and relevant NCII sector lead within 6 hours after becoming aware of a cyber security incident affecting NCII. It must provide details of the submitter, entity, sector it belongs to, and incident specifics. Within 14 days after the initial notification, NCII entities must provide supplementary information including the details of the affected NCII, threat actor details, incident artifacts, incident impact and actions taken. The Chief Executive may require the NCII entity to provide further updates from time to time.

The CSA provides for various sanctions including maximum fines ranging from RM 100,000 to RM 500,000 (approx. USD 22,800 to USD 114,000) and jail terms that have upper limits ranging from 2 to 10 years.

Hong Kong – Introduction of the Protection of Critical Infrastructure (Computer Systems) Bill (Bill)

The Bill, which was passed on 19 March 2025 and will come into effect on 1 January 2026, will be Hong Kong’s first legislation that provides a comprehensive framework for critical infrastructure. The authorities that will be appointed to oversee the legislation are the Commissioner of Critical Infrastructure (Computer-system Security) or a designated entity, namely the Monetary Authority for banking and financial services or the Communications Authority for telecommunications and broadcasting services (“Regulating Authority”).

Critical infrastructure (“CI”) refers to essential infrastructure for essential services in Hong Kong under a specified sector or infrastructure which, if compromised, would affect societal or economic activities in Hong Kong. Eight sectors, namely, energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services, fall within the definition of CI.

The Bill is not intended to apply extraterritorially to computer systems outside of Hong Kong. The Bill only intends to regulate computer systems that are accessible by the operator in or from Hong Kong. Further, the Commissioner will only request information that is accessible by operators in or from Hong Kong where such information is required to be submitted and will allow CI operators reasonable time for complying with such requests.

Key requirements under the Bill for CI operators include (a) an obligation to maintain an office in Hong Kong; (b) obligations to conduct (i) yearly security risk assessments and (ii) security audits every 2 years for computer systems; (c) an obligation to participate in security drills; (d) an obligation to submit an emergency response plan where critical computer systems are involved; and (e) an obligation to notify the Commissioner of a prescribed security incident.

CI operators must notify the Commissioner within 12 hours after becoming aware of a security incident that has, is, or is likely to disrupt its CI’s core function, or within 48 hours for all other cases (“Initial Notification”). If the Initial Notification is not made in the specified form or way, the CI operator must submit a written record in the specified form and way within 48 hours after the Initial Notification (“Supplemental Notification”). The CI operator must submit a further written report to supplement the Initial Notification and/or Supplemental Notification (if any) within 14 days after it becomes aware of the incident. Further details will be released in subsidiary legislation.

The Bill provides for various penalties and sanctions for non-compliance with, among other things, (a) directions or notices issued by the Regulating Authority; (b) submission and implementation of emergency response plans and/or participation in mandatory security drills; and (c) notification requirements, namely fines from HKD 300,000 to HKD 5,000,000 (approx. USD 38,700 to USD 644,500). Jail terms are not imposed on CI operators. They are only imposed where specified persons, namely persons who are authorised to carry out certain duties or functions under the Bill such as a member of a Regulating Authority, breach their duty of secrecy under Section 57 of the Bill.

Comment and Considerations for Cyber Insurers

The recent amendments and introductions of cybersecurity regulations in Singapore, Malaysia, and Hong Kong signify a substantial shift towards enhanced cyber resilience and stricter compliance requirements across the APAC region. These legislative changes are aimed at bolstering the security of critical systems and infrastructure and ensuring that the relevant entities adhere to rigorous standards and obligations.

From an insurance perspective, the expanded regulatory frameworks may drive an increased demand for cyber insurance policies. As organisations strive to meet the new compliance requirements, they may seek insurance coverage to mitigate the risks associated with potential cybersecurity incidents and regulatory breaches. This may result in a broader uptake of cyber insurance and a greater reliance on risk management services provided by insurers.

More stringent regulations introduced means that businesses with robust cybersecurity measures may be viewed as lower-risk clients, potentially benefiting from more favourable premiums. Conversely, entities with inadequate safeguards may face higher premiums due to their increased exposure to regulatory scrutiny and potential sanctions.

Insurers may also review the scope of coverage provided to suit the needs of the regulated entity. Insurers should also consider extending coverage to include the increased reporting and notification costs, new or stricter financial penalties for non-compliance, and the potential for heightened contractual liability and civil litigation resulting from the new regulations.

When considering all of the above, CMS’ global cyber and data breach team has longstanding experience (alongside technical partners) in assisting organisations, including those falling within the new legislative regimes and their supply chains, and their insurers, in relation to cyber breach preparedness and improved cyber resilience. Please contact the authors if you would like to discuss further.

Cyber Space – More to come…

This article is part of our Cyber Space series. These monthly articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions. 

As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.

More insights

Explore more

Expert Guide International

International arbitration law and rules in Hong Kong

48 min read
Event Hong Kong SAR, China

IP Insights webinar series 2026

28 Apr 2026
Publication Hong Kong SAR, China

CMS Arbitration Atlas

20 Mar 2026 3 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.