[ad_1]
[Jishnu M Nair is a Counsel, ASEAN Compliance Officer at IBM ]
The IBM Cost of a Data Breach Report 2025 tells us that, globally, there has been a slight reduction in the average cost of data breaches. However, in countries across the Asian region, specifically for the ASEAN and India bloc, the trend is moving in the opposite direction. The average cost of a breach in ASEAN rose to $3.67 million, while in India it increased to $2.51 million. Cybersecurity incidents and associated data breaches are a growing reality that Asia continues to struggle with.
Recently, I came across an interesting proposal from the cyber regulator in India advocating for the adoption of an artificial intelligence bill of materials (AIBOM), which I view as an evolved version of the software bill of materials (SBOM), as a requirement in procurement processes. While the intention is clear, some of AIBOM’s requirements are designed in such a way that, if the document were to fall into the wrong hands, it could essentially serve as a roadmap for cyber attackers. However, I do recognize the struggle faced by the by a cyber and privacy regulator, especially considering the seriousness of the problem, particularly in the Asia-Pacific (APAC) region, which is facing aggressive digital expansion and equally unprecedented cyber risks, and as the cost increases, as mentioned in the IBM data earlier. With digital services driving economic growth, from mobile banking in India to cloud-enabled logistics in Southeast Asia, the surface area for cyberattacks has expanded exponentially. APAC has become the primary theatre for global cybercrime.
With that, the industry faces a critical question: how best to defend its digital infrastructure?While broad regulation has often been the default policy response, there is increasing evidence that regulatory frameworks, which are piecemeal, disharmonized approaches, even when well-intentioned, are insufficient to mitigate the speed and sophistication of modern cyber threats. I argue that cybersecurity in Asia is fundamentally an investment issue, not a regulatory one. Strengthening cyber resilience requires sustained financial, human, and institutional capital investments that deliver outcomes that regulation alone cannot guarantee.
Cyberattacks as an Existential Threat
After going through numerous instances of attack, there is a general agreement that cyberattacks today are an existential threat. A single breach can severely compromise a company’s ability to survive. In a 2024 industry report, it was observed that over one-third of organizations in the APAC region have suffered major breaches, resulting in costs ranging from $1 million to $20 million per incident.. These statistics are not hypothetical; real-world examples support them. A ransomware attack in Australia forced a major e-prescription provider into insolvency after it lost access to critical data and failed to recover. In another example, a global currency exchange service, operating across several Asian markets, collapsed after attackers encrypted its systems and demanded a ransom, despite some warnings of vulnerabilities from a year before. These incidents illustrate that cybersecurity is not only an IT function but a fundamental pillar of enterprise longevity.
Limitations of Regulatory Responses
Even after such large-scale incidents, the regulatory responses across Asia remain disharmonized, backwards-looking and, in many cases, unresponsive to the pace of threat evolution. Regulatory frameworks, while important in setting minimum expectations, often result in what may be termed a “compliance trap”: companies expend resources to meet prescribed technical controls or checklist requirements without meaningfully improving their cyber resilience. This is partly a structural issue. Cyber regulation is currently structured to be reactive; it is impossible to catch up with the innovation cycles of both attackers and defenders. Moreover, compliance-oriented approaches tend to incentivize risk aversion rather than security innovation. Compliance is mostly not equal to security. When regulations require specific technologies or controls, organizations may meet these formal obligations without truly understanding or addressing the dynamic threat environment. A hospital or bank that installs basic antivirus software may be technically compliant, but remains vulnerable to sophisticated phishing campaigns or ransomware attacks that exploit social engineering rather than software flaws.
The gruelling part is that this problem is exacerbated by regulatory heterogeneity within the region. I argue that heterogeneity is a strength in many areas, but it is not a strength in cybersecurity practices and policies. A disharmonized regulatory structure results in a patchwork of standards, complicating compliance and undermining the interoperability of defences. The lack of harmonization across jurisdictions also limits companies’ ability to invest in cybersecurity solutions that could eventually be scaled. For multinational firms, divergent rules result in organizations running between multiple audit trails, differing breach disclosure thresholds, and varied certification schemes, all of which increase compliance overhead without corresponding gains in actual security.
A study from MIT in 2020 found that simply adhering to cybersecurity regulations does not necessarily make organizations more secure. Instead, what actually improves security is combining compliance with active, well-planned defence strategies. In other words, merely adhering the rules is not enough; real protection comes from strong internal leadership, modern security tools, and being genuinely prepared for threats. Regulatory frameworks tend to emphasize prevention over recovery; yet, in today’s threat landscape, the capacity to respond to and recover from breaches (sometimes referred to as cyber resilience, the ability to maintain operations and protect data in the face of a cyberattack) is often more critical than absolute prevention, which is an increasingly elusive goal.
The Case for Risk-Based Approaches
Cybersecurity may not benefit from prescriptive regulations, and the attempts should be to embrace risk-based approaches, and empower the private sector to innovate securely, rather than mandating specific technologies or protocols. This viewpoint is echoed by several industry leaders across Asia. The rationale is clear: it is more effective and more economical to equip companies to defend themselves than to police them through rulebooks. This shift in perspective opens up a world of possibilities for cybersecurity innovation, offering a hopeful and inspiring vision for the future.
What, Then, Constitutes a Meaningful Investment in Cybersecurity?
Cyber literacy for the population is almost always an area that is not overlooked. A lot of the campaigns around this are around “Don’t share OTP over a call, nobody asks for OTP over a call”. Though this is an important issue, sometimes the cyber literacy campaigns end there. The IBM cost of data breach report tells us that a significant portion of the data security breaches in organizations are not the result of advanced hacking, but rather of simple human error. So, if large enterprises have incidents from human errors, then cybersecurity incidents for breaches in the general population will be more prevalent, such as clicking on a malicious link, reusing weak passwords, or falling for a cleverly crafted phishing email. Despite this, cyber awareness remains low across much of Asia, particularly among the general populace and small and mid-sized enterprises.
Governments need to invest in large-scale cyber literacy campaigns, and cyber literacy should be included as part of the school curriculum. Also, governments and private firms must jointly prioritize workforce training and digital hygiene education for citizens. One good example in the region is Singapore’s national awareness campaign “Better Cyber Safe than Sorry”, offers a replicable model. Singapore has done a great job in cybersecurity messaging. As a policy imperative, the campaign enhances baseline awareness in public spaces and consumer platforms. Companies will need to take more foundational steps surrounding cybersecurity education, such as regular phishing simulations, employee drills, and executive-level incident response.
Technical investments are another essential that gets lower priority, and sometimes compliance with regulations is to blame because of the notion that compliance means security. Modern cybersecurity defence requires more than firewalls and antivirus software. A good starting point for cybersecurity is a clear cybersecurity strategy that lays out priorities. Some Asian economies have those laid out strategies, but most of them are outdated and fail to keep pace with the changing risks and needs. So, nations should have a clear national-level cybersecurity strategy when thinking about investments and deploying them. The strategy should focus on investment rather than creating burdensome regulations, which could create artificial barriers for doing business. Expanding on the national strategy, which has cybersecurity as a national priority, countries could consider cyber defence as a separate component in the annual financial budget, and investments in such exercises should be allocated for the public sector at the national level.
Public policy should play a crucial role in catalyzing and supporting private sector investment. The US-ASEAN cybersecurity collaboration is an incredible example. While we appreciate that regulation and enforcement are key, that should not be the only focus for governments and regulators in Asia; they should adopt a more facilitative posture. This includes developing outcome-based standards that enable firms to select the technologies and practices most suitable to their risk profile. Governments should consider providing financial incentives such as tax credits, grants, or co-financing for cybersecurity upgrades, particularly for SMEs that lack the capital to adopt sophisticated defences. As Charlie Munger said: “Show me the incentives and I will show you the outcome”. This is true in the current scenario too. Public procurement policies should give more weight to vendors with strong cybersecurity practices, which can, in turn, encourage better behaviour and investment across supply chains. One should not envisage the government’s role to be to prescribe every line of code, but it should be to ensure that companies have both the motivation and the means to protect themselves.
Conclusion
Regulations cannot be the only solution for the cybersecurity challenge facing Asia. As digital infrastructure becomes central to national economies and public services, cyber threats pose both operational risks to businesses and systemic risks to the region’s growth trajectory. Regulation, while necessary to set baselines, must be complemented by meaningful, sustained investment, both financial and institutional, in cybersecurity. A sensible national cybersecurity strategy, focusing on increased public sector cybersecurity investment, should be a good start. Governments must embrace their role as enablers and stop thinking of cybersecurity as only a national security issue, instead recognizing that they can regulate the risk.
A good cybersecurity strategy would be risk-based and outcome-focused, rather than prescriptive, and also can maintain flexibility in adapting to evolving threats. We must take special care to avoid overregulation that burdens innovation or encourages superficial compliance. Additionally, this could be complemented by strong incentives, such as tax credits, to drive investment.
Finally, businesses must recognize that cybersecurity is no longer a discretionary IT issue but a core business imperative. As the IBM cost of data breach study showed, a data breach in today’s environment is not merely a cost of doing business; it is a potentially terminal event. Against this backdrop, the only viable path forward is to treat cybersecurity not as a compliance burden, but as an investment in the survival and success of Asia’s digital future.
– Jishnu M Nair
[ad_2]
Source link