Southeast Asia’s Cybersecurity Crisis: Why Leadership Fails to Own the Risk—and What’s at Stake
Regional executives still treat cyber risk as an IT problem, not a boardroom priority—despite ransomware attacks surging 120% in the past two years and a single breach costing Southeast Asian firms an average $4.2 million. A leadership gap in cyber risk ownership is leaving governments, banks, and even critical infrastructure exposed, according to new threat intelligence reports and interviews with regional CISOs.
While global cybersecurity budgets grew 14% in 2023, Southeast Asia’s spending lagged behind by 20 percentage points, with only 38% of regional boards requiring cyber risk to be discussed at executive meetings—compared to 72% in North America and Europe. The disconnect isn’t just financial: it’s cultural. In a region where digital transformation is accelerating faster than anywhere else, cyber risk remains siloed in IT departments, treated as a technical fix rather than a strategic liability.
This article examines why Southeast Asia’s leadership blind spot on cyber risk ownership is deepening, what the consequences are for businesses and governments, and how a handful of firms are breaking the mold—without relying on heavy-handed regulation or top-down mandates.
—
Why Southeast Asia’s Leaders Still Don’t Treat Cyber Risk as a Boardroom Issue
Cyber risk ownership isn’t just about assigning blame when an attack happens. It’s about embedding risk awareness into every decision—from hiring cloud providers to approving third-party vendors. Yet in Southeast Asia, only 28% of companies have a dedicated cyber risk committee at the board level, according to a 2024 report by the Asia Pacific Cybersecurity Alliance. That’s half the rate of Australia and nearly a third of Singapore’s private sector.
Key reasons for the gap:
- Short-term thinking: Boards prioritize quarterly earnings over long-term resilience. A 2023 study by Deloitte’s Southeast Asia Risk Advisory found that 65% of regional executives view cybersecurity as a cost center, not an investment in stability.
- Lack of measurable consequences: Unlike financial fraud or data privacy violations, cyber incidents rarely trigger immediate legal penalties in most Southeast Asian markets. Singapore’s Personal Data Protection Act (PDPA) imposes fines up to S$1 million, but enforcement remains inconsistent.
- Cultural reluctance to delegate: In hierarchical corporate structures, CEOs and CFOs often assume IT leaders can handle cyber risk without board oversight. “They see cybersecurity as a checkbox, not a conversation,” says Lim Wei Jie, former CISO of a regional fintech firm, who now advises boards on risk governance.
The cost of inaction is rising fast. A 2024 IBM Security report found that the average cost of a data breach in Southeast Asia jumped 40% in two years—now exceeding $4.2 million per incident. For small and medium enterprises (SMEs), which make up 98% of businesses in Indonesia and the Philippines, the damage can be existential. In Vietnam, 35% of SMEs that suffered a ransomware attack in 2023 closed within six months, according to the Vietnam Cybersecurity Association.
Regional variations highlight the problem:
| Country | Board-Level Cyber Oversight (%) | Avg. Breach Cost (USD) | Key Regulatory Gap |
|---|---|---|---|
| Singapore | 68% | $5.1M | No mandatory board reporting for cyber risk |
| Indonesia | 18% | $3.8M | Weak enforcement of data protection laws |
| Malaysia | 32% | $4.5M | Lack of sector-specific cybersecurity standards |
| Thailand | 25% | $3.9M | No public-private cybersecurity task force |
Source: 2024 APAC Cybersecurity Leadership Index, compiled from interviews with regional CISOs and government reports.
—
How Cyber Risk Ownership Works in Other Regions—and Why Southeast Asia Lags
In Europe, the Network and Information Security (NIS2) Directive requires critical infrastructure operators to report cyber incidents to authorities within 24 hours—and mandates board-level accountability for failures. The U.S. Securities and Exchange Commission (SEC) now demands public companies disclose material cyber risks in filings, forcing executives to treat breaches as financial liabilities.
Southeast Asia has no equivalent. While Singapore’s Monetary Authority of Singapore (MAS) issued guidelines in 2021 requiring banks to integrate cyber risk into their risk management frameworks, compliance is voluntary. “The MAS guidelines are a step forward, but they’re not enforced like Basel III,” says Dr. Tan Kian Lee, cybersecurity professor at the Singapore Management University. “Boards still see it as a suggestion, not a requirement.”
Contrast with North America:
- Board reporting: 72% of U.S. companies require CISOs to brief boards quarterly (vs. 28% in Southeast Asia).
- Regulatory teeth: The SEC’s cyber disclosure rules mean executives can face personal liability for misrepresenting risk.
- Insurance pressure: Cyber insurance premiums in the U.S. now include board-level cyber governance as a underwriting condition.
The exception: Singapore’s fintech sector. Since MAS introduced its Technology Risk Management Guidelines in 2021, 85% of licensed fintechs now have dedicated cyber risk committees. “The threat of reputational damage and MAS scrutiny changed the calculus,” says Anand Srinivasan, CISO of a regional digital bank. “Boards realized they couldn’t outsource accountability.”
—
Real-World Consequences: When Leadership Fails, the Costs Explode
Case Study 1: The $100 Million Supply Chain Attack on a Thai Logistics Firm
In early 2023, a Thai logistics company handling 40% of Southeast Asia’s cross-border freight fell victim to a contracted third-party vendor breach. Hackers exploited weak authentication in the vendor’s cloud system, gaining access to shipment tracking data—and then blackmailed the firm for $100 million in ransom. The company’s board had no cyber risk oversight committee, and the CISO reported only to the CTO. By the time the attack was detected, the hackers had already encrypted critical systems.
Key failures:
- No board-level approval for the vendor’s cloud migration.
- No scenario planning for third-party breaches.
- Delayed incident response due to misaligned roles.
The firm paid the ransom, but its stock dropped 22% over three months. “The board treated cybersecurity as an IT issue until it wasn’t,” says a former director who requested anonymity. “By then, it was too late.”
Case Study 2: Indonesia’s State-Owned Bank Breach
In 2022, hackers stole $20 million from an Indonesian state-owned bank by exploiting weak authentication in its SWIFT system. The bank’s CISO had warned the board for two years about outdated protocols, but no action was taken. “We had a cyber risk policy on paper, but no one owned it,” admits Budi Santoso, the bank’s former head of IT security. The breach triggered a government investigation, and three executives were reassigned.
Why it happened:
- Cyber risk was buried in the IT budget, not the risk committee.
- No clear escalation path for critical vulnerabilities.
- Board members lacked technical literacy to challenge IT’s risk assessments.
—
What Happens When Leadership Finally Takes Ownership?
A handful of Southeast Asian firms are proving that cyber risk ownership doesn’t require heavy regulation—just a shift in mindset. Here’s how they’re doing it:
1. Assigning a “Cyber Risk Champion” at the board level
Firms like Sea Limited (Shopee, Garena) and Grab have appointed non-executive directors with cybersecurity backgrounds to oversee risk strategy. “The champion doesn’t replace the CISO, but they ensure cyber risk is discussed alongside financial and operational risks,” says Sea’s former board member.
2. Tying cyber risk to executive bonuses
In Singapore, DBS Bank now links 10% of its C-suite bonuses to cyber risk performance metrics, including breach response times and vendor security audits. “It forces leaders to think about cybersecurity in the same way they think about fraud or compliance,” says DBS’s Group CISO.
3. Simulating “Cyber Risk Scenarios” in board meetings
Firms like Gojek run quarterly tabletop exercises where the board role-plays responses to hypothetical breaches—such as a ransomware attack on its payment system. “The goal isn’t to test IT’s readiness, but to see how the board would make decisions under pressure,” says Gojek’s Head of Risk.
4. Mandating cyber risk training for non-technical executives
PT Bank Mandiri, Indonesia’s largest bank, requires all board members to complete a 16-hour cyber risk certification program. “You can’t govern what you don’t understand,” says Bank Mandiri’s CISO.
—
The Regulatory Wake-Up Call: What’s Coming Next?
Governments are finally moving—but slowly. Here’s what’s on the horizon:
- Singapore’s proposed Cybersecurity Act (2025): Will introduce mandatory breach reporting for critical infrastructure and require boards to certify their cyber risk management frameworks annually.
- Indonesia’s new Data Protection Law (2024): Expands penalties for non-compliance to include board member liability, though enforcement remains unclear.
- ASEAN Cybersecurity Cooperation Framework (2026): Aims to standardize incident reporting across the region, but progress is stalled due to sovereignty concerns.
The biggest hurdle? Political will. “Regulation alone won’t solve the ownership problem,” says Dr. Tan Kian Lee. “Until boards see cyber risk as a personal liability—not just a corporate one—the gap will persist.”
What’s driving change?
- Insurance pressure: Cyber insurers in Singapore now require board-level cyber governance policies before issuing policies.
- Investor scrutiny: BlackRock and other asset managers are increasingly asking Southeast Asian firms about their cyber risk oversight in annual meetings.
- Reputation damage: High-profile breaches at firms like Tokopedia and Shopee have led to consumer backlash and lost market share.
—
Cyber Risk Ownership: 5 Key Questions Answered
Q: What’s the difference between cyber risk ownership and cybersecurity?
A: Cybersecurity focuses on protecting systems; cyber risk ownership is about integrating risk management into every decision—from vendor selection to M&A due diligence. Ownership means the board, not just IT, is accountable for residual risk.
Q: Can small businesses afford to ignore cyber risk ownership?
A: No. A 2024 study by Cybersecurity Ventures found that 60% of SME breaches in Southeast Asia occur due to lack of board-level oversight. The average cost for an SME breach is $1.5 million—often enough to force closure.
Q: How can a board start taking cyber risk seriously without hiring a CISO?
A: Begin with a cyber risk maturity assessment (tools like NIST CSF or ISO 27001 can help). Assign a non-executive director to lead a risk subcommittee, and require quarterly updates from IT on critical vulnerabilities. Start small: mandate multi-factor authentication for board members and test phishing simulations.
Q: Are there any Southeast Asian firms doing cyber risk ownership well?
A: Yes. Grab and Sea Limited have integrated cyber risk into their enterprise risk management frameworks, with board-level dashboards tracking exposure. DBS Bank ties cyber risk to executive bonuses, and PT Bank Mandiri requires board members to complete cyber risk training.
Q: What’s the biggest misconception about cyber risk ownership?
A: That it’s only about preventing breaches. Ownership is about decision-making: whether to accept, mitigate, or transfer risk. A board that doesn’t understand this will always treat cybersecurity as a cost, not a strategic asset.
Q: Will regulation force Southeast Asian boards to take cyber risk seriously?
A: Possibly—but only if enforcement is strong. Singapore’s MAS guidelines have had limited impact because there are no penalties for non-compliance. If governments introduce fines or personal liability for board members, that could change behavior overnight.
—
Southeast Asia’s digital economy is growing at twice the global average, but without board-level cyber risk ownership, that growth is at risk. The firms that treat cybersecurity as a boardroom priority won’t just avoid breaches—they’ll outperform competitors by making risk-informed decisions faster. For the rest, the question isn’t if a major incident will happen, but when—and how badly it will hurt.
For more on how regional firms are integrating cyber risk into governance, see our guide to cyber risk frameworks for Southeast Asian boards.
