D&O Insurance in the Asia Pacific region: Digital & Cyber Risks

The adoption of artificial intelligence and the rise in cyber threats have created new risk exposures for directors and officers, reshaping corporate liability considerations. According to Aon’s Report, most companies either already use or plan to use AI systems.

Addressing this shift requires more than employee training. Companies must implement technical protections and adopt thorough strategies for managing digital exposure.

Aon noted that cybercriminals are increasingly relying on vulnerability exploitation rather than traditional spear phishing.

As digital technologies reshape business operations, directors and officers face growing legal and regulatory exposure.

This article outlines the emerging risks associated with AI adoption, cyber security failures, and evolving privacy laws across the Asia Pacific region.

Beinsure selected the most important things from the report.

Key Highlights for Directors and Officers in the Digital Era

• Regulatory Exposure Is Intensifying Across the APAC Region. Directors and officers now operate in a regulatory environment that places direct liability on individuals for privacy and cyber security failings. In Australia, the Privacy and Other Legislation Amendments Act 2024 sets penalties up to $660,000 for non-serious privacy violations. From 10 June 2025, the new statutory tort for serious invasions of privacy will allow individuals to seek damages for data misuse. Similar legal developments in Singapore, Japan, South Korea, and China signal a broader trend of increasing personal accountability for technology-related risks.
• Cyber and AI Risks Are Top Priorities for D&O Insurers. Cyber attacks, data breaches, and AI governance are now central to D&O underwriting across the Asia Pacific region. Regulators, such as the Australian Securities and Investments Commission, continue to warn about financial and reputational damage from system failures. Insurers expect boards to demonstrate ongoing oversight of digital risk, including AI adoption, with tailored D&O policies covering emerging liabilities.
• Board Governance Must Evolve to Address Digital Threats. Aon’s analysis highlights that traditional controls are no longer sufficient. Vulnerability exploitation has overtaken phishing as a leading threat, requiring boards to prioritize technical controls and digital risk quantification. Julie Hamilton of Aon Australia advises boards to adopt strong governance practices that include consistent risk reviews and clarity on AI-related exposures.
• Country-Specific Compliance and Risk Requirements Vary Widely. Each APAC jurisdiction presents distinct legal and operational challenges. For instance, China enforces comprehensive cyber laws with penalties tied to national standards, while Singapore mandates incident reporting under its Cybersecurity Act. In contrast, New Zealand maintains a less developed regulatory regime but expects boards to align with international expectations on cyber resilience and ethical AI.
• Directors Must Take Proactive Measures to Mitigate Liability. To meet growing legal and insurer expectations, directors and officers should: regularly review cyber risk frameworks using financial quantification tools, maintain board-level accountability with documented oversight, provide ongoing training on cyber threats and data protection, and ensure incident response plans are current, tested, and actionable..

It presents seven key questions on liability, compliance, and insurance, drawing on expert insight from Aon and recent legal developments. The content includes practical steps for managing digital risks and highlights jurisdiction-specific obligations in Australia, Japan, China, India, Singapore, South Korea, and New Zealand (see D&O Insurance Insights: 5 Mega Trends).

The Australian Securities and Investments Commission has reported that cyber attacks, data breaches, and system failures continue to damage market trust and cause financial harm. As a result, cyber risk remains a priority for directors and officers insurers across the Asia Pacific (APAC) region.

Under the Privacy and Other Legislation Amendments Act 2024, individuals—including directors and officers—may face a maximum penalty of $660,000 for non-serious interference with privacy, as enforced by the Office of the Australian Information Commissioner (OAIC).

This underscores the increasing personal liability for corporate leaders in relation to data protection and privacy compliance.

Julie Hamilton, national D&O practice group leader in Australia, emphasized the importance of strong governance frameworks that directly address technological risks.

Boards should actively guide their organizations in this changing environment and ensure their D&O insurance covers liabilities associated with AI and other digital tools.

In the legal sphere, Stanford Securities Litigation Analytics began monitoring securities class actions involving AI in 2024 as a new trend category.

While these filings are not entirely new, their frequency more than doubled in 2024 compared to 2023. The expanded role of AI in business models may lead to continued growth in related litigation.

Evolving Legal Duties for Directors

As technology rapidly evolves, so do the legal expectations placed upon directors. They must now navigate a complex regulatory landscape designed to address the growing risk associated with technological advancements.

A notable development is the introduction of a statutory tort for serious invasions of privacy in Australia, effective 10 June 2025.

This law allows individuals to seek damages for privacy infringements or misuse of information, potentially resulting in significant legal and regulatory repercussions for directors and officers.

Similarly, several Asian countries are also enhancing their legal and regulatory frameworks to address cyber security and privacy concerns.

The developments across APAC point toward a global trend to hold directors and officers accountable for cyber security and privacy, stressing the need for strong risk management and vigilance against technological threats.

In South Korea, the Personal Information Protection Act is one of the world’s most stringent privacy laws. The law requires companies to implement robust data protection measures and report data breaches promptly.

Non-compliance can lead to heavy fines and criminal charges against responsible officers.

In Singapore, the Cybersecurity Act 2018 mandates that owners of critical information infrastructure take proactive steps to protect their systems and report cyber incidents.

The Personal Data Protection Commission enforces strict guidelines under the Personal Data Protection Act to safeguard personal data, with penalties reaching up to SGD 1 million or more for severe breaches.

Japan has also strengthened its regulations with the enactment of the Act on the Protection of Personal Information (APPI).

The amended APPI, effective since April 2022, imposes stricter requirements on businesses handling personal data, including mandatory breach notifications and enhanced data subject rights. Failure to comply can result in substantial fines and reputational damage.

Directors and Officers Face Regional Complexities

On top of expanding legal expectations, directors and officers are seeing significant differences in the D&O landscape across the APAC region.

While heightened competition among insurers presents opportunities for cost savings, each country faces unique challenges and regulatory scrutiny.

Rapid digital transformation, climate disclosures, AI governance, and cyber security are key factors influencing the D&O market, with varied emphasis and impact across different countries.

Australia

• The D&O market for insureds has seen favorable conditions, with increased competition and opportunities for cost savings.
• Insurers are focusing on emerging risks such as climate disclosures, AI governance and cyber security.

India

• The country is experiencing rapid digital transformation, which has led to an increase in cyber threats.
• Directors and officers need to be vigilant about cyber security and ensure that their organizations have robust risk management frameworks in place.

Japan

• There is a growing focus on AI governance and the ethical use of technology.
• Directors and officers are expected to implement robust governance frameworks to manage AI-related risks and ensure ethical practices.

Mainland China

• China’s stringent cyber regulations (Cybersecurity Law, Data Security Law, Personal Information Protection Law) mandate rigorous data governance, cross-border transfer controls and breach reporting.
• Directors and officers must prioritize compliance amid rapid digitalization, heightened cyber threats (e.g., state-sponsored attacks, ransomware) and evolving AI governance risks.
• The Cyberspace Administration of China enforces strict accountability, requiring robust incident response plans, vendor due diligence and alignment with national standards such as the Multi-Level Protection Scheme.
• Insurers increasingly tie D&O coverage to demonstrable cyber resilience and regulatory adherence.

New Zealand

• The country lacks broad regulatory rigor in cyber security and AI, but the Financial Markets Authority and Reserve Bank of New Zealand are increasingly interested in how regulated entities manage data privacy risk and cyber resilience.
• New Zealand D&O insurers emphasize the need for compliance with data protection laws and ethical AI governance to mitigate evolving sources of claims.
• While litigation from cyber events has been rare locally, many New Zealand organizations and their boards are influenced by international trends, especially from Australia.

Singapore

• The regulatory environment is stringent, with the Monetary Authority of Singapore (MAS) emphasizing the importance of cyber resilience.
• Directors and officers must ensure compliance with MAS guidelines to avoid regulatory penalties.

Proactive Steps for Directors and Officers

Regional developments highlight the need for targeted risk management strategies tailored to the environments directors and officers operate in (see D&O Insurance Market review).

Ensuring that organizations are well-prepared to handle cyber incidents allows directors and officers to protect themselves and their business from the increasing risks associated with the digital age

Ling Yu, Aon’s financial services and professions group leader for Asia

To address increasing cyber threats, regulatory scrutiny, and organizational exposure, directors and officers can take the following steps:

1. Regular Review of Risk Management Frameworks
Directors must ensure that cyber security protocols are consistently reviewed and updated to reflect emerging threats. Tools such as Aon’s Cyber Impact Analysis can help quantify the financial impact of cyber risks. In the event of an incident, these assessments may serve as evidence to regulators, courts, and shareholders that the board identified and addressed material risks with the intent to protect shareholder value, customer trust, and public interests.

2. Board Oversight and Accountability
Active involvement from the board in overseeing cyber security efforts is essential. The experience of Wyndham Worldwide Corporation demonstrates this. After facing a shareholder derivative suit over data breaches between 2008 and 2010, the company successfully defended itself by showing that the board had made cyber security a consistent agenda item, conducted regular risk reviews, and consulted experts, establishing a clear record of oversight and due diligence.

3. Training and Awareness
Boards should allocate resources to ensure both directors and senior management receive ongoing training in privacy and cyber security. Awareness of current threats and best practices helps strengthen organizational readiness and supports regulatory compliance.

4. Incident Response Planning
An effective response plan is critical for minimizing the damage from cyber incidents. Directors must confirm that such plans are in place and tested regularly to ensure rapid action and clear communication during disruptions.

FAQ

……………..

AUTHORS: Andrew Mahony – Aon’s Cyber Solutions Leader, Financial Services, Professions & Cyber Co-Leader, Asia, Julie Hamilton – Aon’s National D&O Practice Group Leader, Australia, Ling Yu – Aon’s Financial Services & Professions Group Leader, Asia, Michael Parrant – Aon’s Director & Cyber Practice Leader, Australia