In recent years, companies including banks, insurers, and digital financial ­services ­platforms have begun offering personal cyber ­coverage plans that promise to reimburse users for when they have been impacted by digital crimes.

Generally speaking, personal cyber insurance can be loosely defined as insurance that can help victims recover from a cyber event.

According to the General Insurance Association of Malaysia (PIAM), there is no single, industry-wide definition of a ‘cyber event’.

“Each insurer may define ‘cyber event’ differently in their policy wording,” says PIAM CEO Chua Kim Soon, adding that the specific policy wording determines whether a claim is valid.

Chua notes that in general, many policies often include ‘cyber events’ such as ­unauthorised electronic fund transfers from bank accounts and/or e-wallets, etc; online retail fraud such as fraudulent online purchases or misuse of payment cards; as well as ­identity theft and misuse of personal information.

Chua adds that some policies also cover cyberbullying or online harassment.

Chua adds that many policies require incidents to be reported within a reasonable timeline, for example 72 hours. — PIAM

In the case of identity theft, “insurance can cover the costs of restoring identity, including replacing documents, legal fees, credit monitoring and incident response assistance cost,” he says.

One insurance company gives the example of a user who unknowingly clicks on a ­malicious link which then installs malicious code in their device that gives hackers access to the victim’s data.

Personal cyber insurance could reimburse victims for professional IT services to recover their data, such as ­restoration costs from a laptop repair due to malware.

As US personal finance ­company NerdWallet puts it, personal cyber insurance – much like other types of ­insurance – won’t prevent ­problems from happening, but it can help victims recover if it does.

In Malaysia, pricing ranges from RM1 monthly to around RM100 for an annual plan.

Malaysia Cyber Consumer Association president Siraj Jalil says there is a gradual but notable increase in public interest for cyber insurance in the last two years. He believes the trend may be driven by several factors.

“The rising frequency of online scams, bank account ­takeovers, and identity theft ­incidents; the public’s growing anxiety following high-profile data breaches; and the shift in risk culture where Malaysians now recognise that digital threats carry real financial ­consequences,” Siraj says when contacted by StarLifestyle.

It was reported by The Star that Malaysians suffered ­losses exceeding RM1.22bil due to cybercrime from January to October in 2024 with Inspector-­General of Police (IGP) Datuk Seri Mohd Khalid Ismail attributing it to incidents such as financial scams, identity theft, data breach and online fraud.

Siraj is concerned that cyber insurance may be marketed in ways that play on public fear rather than genuine understanding. — SIRAJ JALIL

He also cited figures from CyberSecurity Malaysia where more than 5,900 incidents were reported in 2023 including 3,705 fraud cases. Incident reports about data breaches also increased by 1,100% compared to the previous year.

Mohd Khalid added that the numbers highlighted the “real-world impact, economic ­disruption and erosion of trust in our digital environment”.

What is it for?

According to Monash University Malaysia School of Business Assoc Prof Dr Manjeevan Singh Seera, personal cyber insurance plans in Malaysia typically cover ­various aspects that include minor online shopping ­disputes, limited financial loss from some online scams, data recovery and cyber extortion.

“Most personal cyber plans here are small. Expect limits around RM5,000 to RM25,000 depending on the plan and ­benefits. For example, some plans offer coverage up to RM10,000 and many sub-limits are lower,” he says.

Based on StarLifestyle checks, an insurance company may set a limit of RM500 for claims related to identity theft.

Another ­company is offering reimbursement up to RM3,000 for users who have been directly impacted by cyberbullying.

Zurich Malaysia chief ­underwriting officer Anthony Seeto says personal cyber insurance plays a vital role in mitigating everyday threats that may impact users in Malaysia.

For example, he says online fraud remains one of the most common incidents with ­consumers fooled by fake online stores and losing their money in the process.

Seeto also raises concerns about increasingly sophisticated phishing attacks, where fake but convincing emails and messages trick individuals into revealing sensitive information.

Seeto says like all insurance products, personal cyber insurance come with specific inclusions, coverage limits and conditions that can affect how claims are processed. — Zurich Malaysia

He adds that cases of ­unauthorised purchases have also become “increasingly common” where criminals use ­stolen credit or debit card information to perform online transactions without the ­victim’s knowledge.

“These incidents not only cause immediate financial loss, but resolution with banks or merchants may take months, adding to the emotional toll on victims,” Seeto says.

Do you need it?

Manjeevan feels that most people should “first rely” or be aware of existing anti-fraud measures in the banking system. He explains how banks in Malaysia have implemented measures including migrating from SMS One Time Password (OTP) to more secure authentication methods, initiating cooling-­off period for first-time enrolment of online banking service and introducing kill-switch as a way for users to immediately suspend bank accounts when they see suspicious activity.

He adds that in 2024, Bank Negara Malaysia (BNM) introduced the Policy Document on Ensuring Fair Treatment for Victims of Unauthorised e-Banking Transactions, which took effect in October that year. According to BNM in a statement, the policy “aims to raise public awareness of the rights of financial fraud ­victims affected by unauthorised e-banking transactions”.

The nine-page document sets out requirements for financial institutions to acknowledge a customer’s report of a disputed transaction and to notify the customer, within three working days, of the information needed for the investigation: including the name, affected account number, disputed amount, and the reason for the dispute.

Item 9.3 states: “Once a report is lodged, FIs (financial institutions) shall immediately advise the customer to lodge a police report and inform the customer in writing of what to expect in connection with the investigation and assessment process of fraud cases.”

In the same year, Manjeevan says the National Fraud Portal went live allowing financial institutions to swiftly track ­stolen funds across the financial system through automated tracing. This aims to prevent further transfers and increase the chances of fund recovery.

“People may think they need insurance before they can get help. The first step is to call your bank and the National Scam Response Centre at 997,” says Manjeevan.

He adds that if a user clicks on a fake ‘bank security update’ link and suddenly sees money being transferred out, they should immediately trigger the kill switch in their banking app or website as part of notifying the bank and stopping further losses.

“Insurance is not the entry point. It may help later for costs outside banking, but speed with the bank and NSRC is what matters first,” says Manjeevan.

While Manjeevan says that most users don’t need a separate policy, he acknowledges that it may be helpful for niche situations outside the bank process. — MANJEEVAN SINGH SEERA

While Manjeevan says that most users don’t need a ­separate policy, he acknowledges that it may be helpful for niche situations outside the bank process.

“For example, a dispute with an overseas seller that is not covered elsewhere. Issues often happen when the seller is ­overseas and the dispute falls outside local chargeback rules or takes too long,” he says.

For online shopping fraud, Chua says that insurance can reimburse the financial loss or provide compensation “when the policyholder can demonstrate the fraud and show they attempted resolution with the merchant or bank first”.

Are you reading the fine print?

Siraj is concerned that cyber insurance may be marketed in ways that play on public fear rather than genuine understanding.

“Some policies highlight impressive coverage amounts but quietly impose strict claim conditions that consumers rarely read. There is also the risk of overselling, where ­individuals are encouraged to purchase layers of coverage that do not match their digital behaviour or personal risk exposure,” he says.

Manjeevan agrees that consumers may end up not fully understanding how cyber insurance works: “The word ‘cyber’ sounds like it covers everything online. Most plans are narrow.”

He’s also concerned that because some of these plans are offered through simple one-click app sign-ups, users are likely to overlook important terms and conditions.

“Most policies exclude cases where you were tricked into sending money willingly. This is often called authorised push-­payment scams,” he says.

For instance, one insurer ­specifically excludes situations where users were persuaded to make advance payments in exchange for supposedly high-­value goods or services, or where they sent money for romantic reasons.

“Consumers should not presume that all insurers cover the same events,” says Chua.

Do you know what’s not included?

Seeto says like all insurance products, personal cyber insurance come with specific inclusions, coverage limits and conditions that can affect how claims are processed.

“Being informed about these aspects ensures customers have realistic expectations and can make decisions that truly protect what matters to them,” he adds.

According to him, some ­policies may exclude incidents resulting from intentional misconduct or gross negligence. Users should also be aware of specified financial limits where there’s a cap on the claim amount for losses.

“We’ve also observed common misconceptions about ­coverage scope. Many consumers assume that personal ­cybersecurity insurance automatically covers all forms of identity theft or financial fraud.

“In reality, policies often have specific conditions and requirements. For example, a policy might cover credit card fraud but exclude fraud involving cryptocurrency or non-traditional payment methods,” Seeto adds.

He says filing a security ­insurance claim also requires detailed proof of incident including logs, evidence of communication with perpetrators, and comprehensive accounts of financial losses.

Chua adds that many policies require incidents to be reported within a reasonable timeline, for example 72 hours. “This is important in order not to prejudice the investigation,” he says.

As insufficient documentation can delay or potentially ­invalidate a claim, Seeto says his company will work closely with customers to guide them through the process.

“Our advice is simple but crucial, read and understand your policy wording thoroughly, including all exclusions and limitations.”

Take control

Cybersecurity expert Fong Choong Fook explains that a consumer is likely to end up becoming a fraud victim if they lack awareness of the ­latest scams, or do not practice cyber hygiene.

“Based on the statistics, when frauds such as missing funds in an e-wallet occur, it’s usually due to consumers themselves where their devices get compromised after clicking a suspicious link, they share passwords, or their credentials are leaked, which scammers then exploit,” says Fong.

Fong says that paying a small fee for additional protection can be worthwhile, particularly for older users or those who may be less confident navigating online risks. — ART CHEN/The Star

He says that paying a small fee for additional protection can be worthwhile, particularly for older users or those who may be less confident navigating online risks.

But Siraj says that most Malaysians still don’t fully understand how cyber ­insurance works as the industry itself struggles with translating complex coverage terms into plain language.

He adds that consumers end up with products without fully grasping terms like exclusions, claim limits and incident response requirements.

“A major challenge is the low baseline of digital literacy, where people know the risk exists but cannot visualise how coverage interacts with real-world scenarios such as phishing, investment scams or device compromise,” he says.

Siraj adds that MCCA advocates for transparent explanations, consumer ­education, and regulatory oversight to ensure marketing practices remain ethical and aligned with real consumer needs.

Manjeevan believes that ultimately, clear lines of responsibility are needed to prevent confusion when fraud happens.

“On responsibility, the main duty should stay with providers that move or hold the money. Banks and payment providers should carry the load for unauthorised e-banking losses.

“Insurance is an optional add-on for gaps outside that space,” he adds.