The new cost of connectivity

As governments digitise public services, banks push deeper into mobile-first models, manufacturers adopt connected systems and telecom networks become the backbone of everyday life, the Southeast Asia region’s threat landscape is expanding in both volume and sophistication. The shift is not incremental. Cybersecurity in Southeast Asia is no longer an “IT problem” to be handled after deployment; it is increasingly a strategic factor shaping regulation, investment decisions, vendor choices and, in some cases, diplomatic sensitivities.

The region’s challenge is structural. Southeast Asia is building fast across 5G networks, cloud adoption, cross-border digital trade and artificial intelligence (AI)-enabled services, often with uneven security maturity across organisations, supply chains and public sector ecosystems. This creates a familiar pattern as attackers target the weakest points in systems that are otherwise modern and well funded. Incidents in 2025 show that the most damaging exposures are not always direct attacks on core systems, but breaches and disruptions emerging from third-party vendors, weak governance, delayed reporting, credential theft and social engineering that exploits trust rather than technology.

What emerges is a cyber landscape defined by three converging pressures: ransomware and operational disruption, data governance and regulatory tightening, and AI-enabled fraud and social engineering. Together, they are forcing Southeast Asia to rethink what “digital readiness” actually means.

Ransomware

Ransomware remains the cyber risk that most visibly tests national resilience because it combines financial extortion with real-world disruption.

In Southeast Asia, 2025 has reinforced that ransomware impact is not limited to a single sector. Financial services, healthcare, logistics and government-linked service providers sit in the crosshairs because they represent high-value data and time-sensitive operations.

A clear example comes from Singapore, where a ransomware attack on a data vendor, Toppan Next Tech, led to potential exposure of customer information linked to major banks. The incident put roughly 8,200 customer statements at risk for DBS and about 3,000 customers for Bank of China’s Singapore branch, with exposed information including names, addresses and investment or loan details. DBS stated core systems and funds were not affected, yet the incident triggered regulatory attention and response co-ordination involving the Monetary Authority of Singapore and the Cyber Security Agency of Singapore.

The lesson is clear: in mature digital economies, the most consequential weak links may sit outside the primary institution’s own perimeter. Vendor ecosystems, printing partners, managed service providers, cloud suppliers and outsourced operations often carry the same sensitivity as the principal entity but not always the same level of security governance. For a region accelerating digital public services and platform-based operations, third-party risk is rapidly becoming a first-order risk.

Vietnam’s experience underscores another ransomware reality, i.e., as digital transformation deepens, exposure rises. In 2025, indicated ransomware incidents in Vietnam caused losses exceeding $10 million in 2025, highlighting the financial and operational drag ransomware can impose on fast digitising economies.

Even where organisations do not pay ransoms, recovery costs, downtime, restoration, response services and reputational loss can be substantial.

Supply chain exposure

Cyber risk in Southeast Asia is increasingly a supply chain issue, not just an enterprise issue. This is partly because digital services are now modular. Banks rely on vendors for customer communications, governments use contractors for platforms, telecom operators depend on multivendor network stacks and enterprises adopt cloud-native systems that integrate multiple external components.

The Singapore vendor incident is a case study in how third-party compromise can create regulatory, reputational and operational consequences even when “core” infrastructure remains secure.

More broadly, as Southeast Asia builds national digital infrastructure and cross-border services, supply chains expand, creating a larger surface area for attackers seeking lateral entry points. For Southeast Asian organisations operating under tightening privacy regimes, the threat of data exposure often becomes as coercive as service disruption.

Regulators are tightening oversight

The policy response across Southeast Asia is shifting from broad cyber ambition statements to sharper regulatory instruments, especially around critical infrastructure, incident reporting and data governance.

Singapore has moved decisively in this direction. Provisions under the Cybersecurity (Amendment) Act came into force on October 31, 2025, expanding oversight to reflect how modern essential services rely on virtualised systems and provider-owned infrastructure. The amendments enable the designation and regulation of such systems as critical information infrastructure, reflecting the reality that essential services are increasingly delivered through cloud-like environments rather than through purely physical assets.

Vietnam is also tightening governance, particularly in data regulation. A major law passed in late 2024 (effective July 1, 2025) expands regulation beyond personal data to broader “digital data” categories, including “important data” and “core data”, with cross-border transfer restrictions framed through national defence and security considerations. Draft decrees from early 2025 proposed criteria for classification, indicating a trajectory towards stronger state oversight of data flows and risk assessments.

Separately, Vietnam passed a new cybersecurity law in December 2025, set to take effect on July 1, 2026, consolidating earlier cybersecurity and network information security frameworks.

Indonesia’s trajectory highlights another dimension, i.e., the intersection of cybersecurity, privacy and state powers. In June 2025, Indonesia’s Attorney General’s Office signed agreements with major telecom operators to install wiretapping equipment for law enforcement purposes, prompting concerns from analysts and rights groups about privacy safeguards and potential overreach.

Across the region, these regulatory moves reflect a shared direction – governments are treating cyber resilience as part of national infrastructure governance, not merely corporate best practice.

AI-enabled fraud and social engineering

If ransomware is the headline, cyber risk, fraud and social engineering are the mass market risk, especially as AI tools reduce cost and raise realism. In 2025, reports highlighted how scammers have used AI-generated images and face-swapping techniques, including activity linked to Southeast Asian scam networks exploiting AI tools for deception.

This matters because Southeast Asia has two overlapping realities: high digital adoption and high exposure to scams. AI increases the effectiveness of phishing, business email compromise, impersonation scams and deepfake-enabled confidence fraud.

In practice, this is pushing the region towards stronger identity and transaction controls like behavioural analytics, anomaly detection, stronger know your customer/anti-money laundering (KYC/AML) integration and, in some markets, broader use of biometrics. But AI also raises stakes as authentication becomes stronger and attackers increasingly target humans, processes and vendors rather than systems alone.

State-linked espionage

Southeast Asia’s cyber environment also includes state-linked operations and espionage that target the government, telecom, manufacturing and media sectors. The Center for Strategic and International Studies’ (CSIS) tracking of significant cyber incidents notes ongoing campaigns affecting Southeast Asia across these sectors,

reflecting how the region sits at the intersection of strategic competition and supply-chain geopolitics.

For regional policymakers, this creates a layered risk environment. They must defend against financially motivated criminals seeking ransom and data, while also managing higher-end threats seeking long-term access, intelligence value and strategic influence. This duality is one reason cybersecurity is increasingly treated as a sovereignty issue, not only a commercial one.

Practical bottlenecks and remedial measures

A persistent theme across Southeast Asia is uneven capability. Large banks and major telecom operators may have strong security postures, but they still rely on complex vendor ecosystems. Small and medium enterprises (SMEs), regional government agencies and mid-tier enterprises often operate with constrained budgets and limited specialist staff. This creates a two-speed cyber posture, pockets of sophistication surrounded by weaker points that attackers can exploit.

In this regard, the region’s cyber winners will likely be those who treat cybersecurity as operating infrastructure rather than periodic compliance. A credible playbook is emerging with five priorities:

  • Hardening the vendor ecosystem: Third-party risk must move from procurement checklists to continuous monitoring, with contractual clarity on breach reporting, access controls, audits and incident cooperation.
  • Measuring resilience, not just controls: Organisations need to test recovery time objectives, backup integrity and continuity plans, because the impact of ransomware is fundamentally operational.
  • Fraud-as-a-service defence: Banks and platforms need AI-on-AI defence: behavioural analytics, transaction monitoring, device intelligence and rapid takedown processes for impersonation content.
  • Critical infrastructure regulation with clarity: Oversight must match modern architecture, virtual systems, provider-owned infrastructure and cloud dependencies while maintaining operational practicality, as reflected in Singapore’s evolving regime.
  • Balancing security with rights and trust: Expanding state interception capabilities without clear guardrails can erode trust and create long-term governance risk, as debates in Indonesia show.

Outlook

Southeast Asia’s digital economy will continue to grow and so will its cyber exposure. The region’s defining cybersecurity challenge is not a lack of ambition – it is the mismatch between fast deployment of digital services and uneven maturity of security governance, vendor resilience and fraud controls. Incidents in 2025 show that the next wave of cyber risk is increasingly systemic. It spreads through supply chains, exploits trust and targets operational continuity as much as data.

In this environment, the central question is not shifting. The question is whether it can build resilience quickly enough that cyber risk does not become the limiting factor for digital adoption, cross-border services and public trust.