As we enter 2025, a growing number of legal inquiries we receive concern the compliance requirements under the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024, particularly around personal data breach and cyber security incident notifications.
In this evolving digital landscape, organizations and in-house legal teams must recognize a critical reality that the occurrence of a personal data breach or cyber security incident is no longer a question of “if” but “when.” Therefore, the real urgency now lies in ensuring preparedness to comply with these new mandatory notification obligations. In particular, the Personal Data Protection (Amendment) Act 2024 imposes a mandatory data breach notification requirement when a data controller has reason to believe that a personal data breach has occurred, and similarly, under the Cyber Security Act 2024, an NCII Entity must also submit a cybersecurity incident notification when it comes to its knowledge that a cybersecurity incident has or might have occurred. Non-compliance with these mandatory notification obligations carries severe penalties, including substantial fines and imprisonment, making it imperative for organizations to enhance their regulatory and compliance policies.
To assist organizations in understanding these mandatory notification obligations under both the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024, we have published a number of legal articles and recorded legal podcasts that provide detailed explanation of the legal framework governing personal data breach and cybersecurity incident notifications, detailing the triggering mechanisms, notification processes, and the legal consequences of non-compliance. Therefore, in this article, we will shift our focus to an equally critical but often overlooked aspect of data breach and cyber security management, which is cyber insurance.
.
Cyber Insurance: A Critical Component of Cyber Risk Management
Whenever an organization experiences a personal data breach or cybersecurity incident, one of the first questions we ask when assisting them with notification obligations is whether the company has cyber insurance coverage.
While cyber insurance is a well-established concept globally, it is still relatively new in Malaysia. However, the introduction of breach notification obligations under both the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024 has increased its relevance, making it an essential component of modern risk management strategies.
In this article, we aim to cover three key aspects: (i) what cyber insurance is, (ii) how cyber insurance is useful in the event of a personal data breach or cybersecurity incident, and (iii) three key takeaways to consider when evaluating a cyber insurance policy.
.
What is Cyber Insurance?
Cyber insurance, also known as cyber liability insurance, is a specialized insurance policy designed to protect businesses and individuals from the financial and operational impact of cyber threats, data breaches, and other digital risks. A typical cyber insurance policy will cover a wide range of digital risks, including data breaches, ransomware attacks, business interruption due to cyber incidents, and liability arising from the loss of sensitive customer information.
Depending on the type of cyber insurance, some policies will offer first-party coverage, which aims to cover expenses and losses incurred directly by the insured resulting from a cyber incident, whereas third-party coverage, on the other hand, addresses liabilities arising from claims made by external parties, such as clients, customers, or business partners, who suffer damages due to the organization’s cyber incident. Common coverages typically included in cyber insurance policies are data breach response to cover the costs associated with responding to a data breach, business interruption to cover losses for lost revenue and profit caused by a cybersecurity incident, forensic investigations and incident response costs, and even other associated legal fees.
.
How Cyber Insurance Helps in a Data Breach or Cyber Security Incident
Cyber insurance is an invaluable asset in the event of a personal data breach or cyber security incident, as outlined above. In the case of a personal data breach, the data controller is required to lodge a data breach notification under the Personal Data Protection (Amendment) Act 2024, as failure to comply may result in a fine of up to RM250,000 or imprisonment for up to 2 years, or both. Similarly, in the event of a cyber security incident, the NCII Entity is required to make cyber security incident notification under the Cyber Security Act 2024, and non-compliance can lead to a fine of up to RM500,000, imprisonment for up to 10 years, or both.
Based on our experience with data breach notifications, organizations that have suffered a data breach and gone through a similar notification process can attest that it is both a complicated and costly undertaking. Notification goes beyond simply reporting the data breach, as it also requires the preparation and submission of additional independent reports, such as forensic investigation and compromise assessment reports. These reports often necessitate the involvement of external independent parties, including computer forensic experts and cybersecurity service providers, which adds significant costs to the notification process. Therefore, in many cases, it is only during the notification process that companies fully realize the substantial costs required to complete the entire procedure. These costs do not even account for the expenses related to data recovery and restoration, crisis management, or losses caused by business interruption.
This is where cyber insurance becomes crucial, as in the event of a personal data breach or cybersecurity incident, all the associated costs, particularly those for notification, crisis management, forensic investigations, and business interruption losses, are typically covered by cyber insurance – these are expenses that organizations often fail to budget for and are frequently unexpected, placing a significant burden on the business. Hence, with the right cyber insurance in place, law firms and insurers can work closely with organizations to ensure seamless compliance and financial protection.
.
Three Key Takeaways When Evaluating a Cyber Insurance Policy
When evaluating a cyber insurance policy, the most suitable option will ultimately depend on the specific needs of each organization. While this is not an exhaustive list, there are 3 key takeaways that organizations should consider when assessing a cyber insurance policy:
.
1. Coverage Scope: First-Party vs. Third-Party Coverage
The first and arguably most important consideration is the coverage scope, specifically whether the policy provides first-party coverage or third-party coverage.
The key difference is that first-party coverage protects against direct losses incurred by the insured organization, such as expenses related to system recovery, business interruption, or ransomware payments. In contrast, third-party coverage addresses liabilities arising from claims made by clients, partners, or other external parties affected by a cyber incident.
The choice between the two depends largely on the organization’s business model. If the business handles a large volume of sensitive client data, third-party coverage is crucial to protect against lawsuits and regulatory claims following a data breach. Conversely, if the primary concern is the operational impact of a cyber incident on internal systems, first-party coverage may be more relevant.
.
2. Incident Response and Notification Support
The second key takeaway is to assess the incident response and notification support included in the policy.
A well-structured cyber insurance policy should cover forensic investigation costs for hiring cybersecurity experts to determine the origin, scope, and impact of the cyberattack. It should also provide legal support and cover compliance costs required to meet regulatory notification requirements. In addition, organizations should ensure that the policy includes coverage for data recovery and system restoration expenses, including any loss of income due to business interruption caused by the attack. Some policies may also extend to public relations expenses to help manage reputational damage following an incident.
.
3. Policy Exclusions and Limitations
Lastly, it is crucial to understand policy exclusions, which limit what is not covered under the cyber insurance policy. It is important to note that different cyber insurance policies may have different exclusions and limitations. Common exclusions typically include issues such as negligence, where the organization fails to implement basic cybersecurity measures, losses caused by intentional or malicious acts of employees within the organization, or cyberattacks that are considered acts of war, terrorism, or attributed to nation-state actors.
Therefore, it is essential to understand the exclusions and limitations within the cyber insurance policy in order to decide which policy would work best for the organization.
.
Conclusion
With the implementation of the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024, organizations must go beyond strengthening their regulatory and compliance frameworks. A well-drafted and comprehensive cyber insurance policy is equally critical. In the event of a personal data breach or cybersecurity incident, cyber insurance plays a pivotal role in mitigating financial and operational risks, covering various losses, including additional expenses incurred in the notification process.
If your organisation requires further insights into data breach or cybersecurity incident notification requirements, please reach out to the Technology Practice Group. Our team has extensive experience in these areas and is well-versed in navigating the evolving regulatory landscape.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
.
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read:
