As Asia Pacific banks look to 2026, cyber risk in the region is at a critical inflection point. AI-driven attacks are accelerating in scale and sophistication, while rapid digitalisation and deeply interconnected ecosystems are expanding the surface of attack.
Cyber incidents in Asia Pacific account for some 34%¹ - more than a third - of global cyber incidents, according to IBM, with increasing operational, financial and customer impacts. At the same time, regulators are raising expectations around resilience, third-party risk, reporting, and accountability - making cyber risk a board-level priority, not a technology challenge to solve.
In my view, these are the five critical forces reshaping cyber risk for banks in Asia Pacific, and what CISOs must prioritise as these threats accelerate.
1. Cyber-attacks become autonomous with AI
AI is transforming cyber-attacks, with bad actors using generative and agentic AI to drive autonomous attacks at an industrial scale and at increasing speed.
Visa has reported the volume of mentions of AI agents in underground forums have surged more than 477%² in 2024, indicating increased interest and usage. Generative AI enables bad actors to automate impersonation, phishing, credential theft and malware creation. For example, a Hong Kong employee of a multinational company was scammed by an AI-powered deepfake video call, resulting in a loss of around US$ 25m³.
Agentic AI takes this even further by planning and executing multistep attacks at machine speed with minimal human supervision, which outpaces cyber defence teams. For example, bad actors manipulated an AI firm’s system to launch an espionage campaign on global targets, executed largely by AI agents⁴.
What organisations should do: AI-driven autonomous attacks should be treated as the new normal that organisations must be prepared for. This means a greater urgency to harden identity, access, and verification processes at an enterprise level to combat deep fakes, impersonation, and AI-powered phishing.
In addition, banks need to invest in AI-enabled security to combat AI threats. This includes security, monitoring, and red-teaming capabilities to detect machine-based attacks early. Stronger governance, employee awareness, and incident response protocols will also help banks and institutions stay ahead of rapidly evolving agentic AI threats.
2. Fraud is now strategic, automated and scalable
Bad actors are increasingly operating with greater strategy, coherence, and unity, driven by a growing convergence of cyber and fraud activities.
Cyber intrusions, such as data breaches, malware campaigns, and phishing operations now directly fuel fraud by enabling synchronised data compromises, mass credential dumps, and scalable account takeover scams, with a 220%⁵ increase in recovered account cases linked to mass data dumps and coordinated scam campaigns in 2025.
These cyber-enabled capabilities allow fraud networks to act quickly and collaboratively across geographies and sectors, amplifying both the speed and impact of attacks. As a result, traditional fraud models face critical fault lines: approaches that treat cyber threats and fraud as separate, or rely on isolated, reactive monitoring, are no longer sufficient.
What organisations should do: Enterprises and governments must recognise cyber risk as a foundational enabler of modern fraud and respond with integrated, intelligence-led and collective defenses. CISOs and CROs must break down silos by unifying cyber security and fraud risk strategies, ensuring shared visibility across identity, threat intelligence, and transaction data.
Organisations must also shift from reactive controls to proactive, intelligence-led defenses that detect coordinated attack patterns early. Critically, this requires cross-industry collaboration, continuous monitoring, and joint ownership of cyber-enabled fraud risk at the executive level.
3. Ransomware as a business model
Ransomware, or malware that denies users access to their data is on the rise in payments, especially in Asia Pacific, with ransomware incidents in payments ecosystem entities rising 41%⁶ between early and mid-2025. For example, a ransomware attack on the Indonesian national data centre in 2024 disrupted services for many government agencies⁷.
This is due to the rapid digitalisation of banking and the financial ecosystem creating a larger target for fraud actors, combined with uneven security infrastructure. Bad actors exploit the region’s large digital population and mobile-first financial systems through extortion, AI-driven phishing, and distributed denial-of-service (DDoS) attacks. Fragmented regulations across Asia Pacific further create gaps that adversaries readily exploit.
What organisations should do: A useful step will be to strengthen ransomware resilience by enhancing backup, recovery, and DDoS protections across payment and mobile platforms, while deploying AI-driven detection against phishing and extortion.
Organisations can also conduct a cybersecurity maturity assessment to identify gaps in existing infrastructure to prioritise investments in key areas of weaknesses. Finally, standardising controls and improving regional coordination can help to address regulatory gaps or inconsistencies, especially in a diverse region like Asia Pacific.
4. Interconnected ecosystems, interconnected risk
Asia Pacific’s financial ecosystem is deeply integrated and interconnected. Open banking initiatives, extensive fintech partnerships, and interoperable card and cross-border payment networks have tightly linked banks, fintechs and payment service providers through shared infrastructure and payment rails.
While this connectivity drives growth and innovation, it also carries greater operational risk that requires tightly coordinated regulatory and industry governance. Extended digital supply chains may increase exposure to cyber intrusions, and inconsistent security controls across vendors, APIs, and partners can create structural weak points that can be exploited by sophisticated threat actors and cause damage to cascade rapidly across the ecosystem. According to the World Economic Forum’s Global Cybersecurity Outlook 2026, 65% of large organisations now view third party and supply chain vulnerabilities as their top cyber resilience challenge - up from 54%⁸ in 2025 - highlighting the rapid rise of supply chain attacks. An attack on a bank's customer loyalty system, for example, may yield more than just loyalty details to include card credentials, credit histories, and other sensitive personal information.
What organisations should do: Strengthen third-party and supply chain risk management by enforcing rigorous security standards across vendors, fintech partners, and APIs. A shared commitment to continuously assess interconnected payment rails for systemic risk and increase visibility across shared infrastructure can ensure that the entire ecosystem remains ahead of cyber threats. Enterprises and regulators can also embed “security by design” into open banking and partnership infrastructures to reduce risk.
5. New technologies make banks bigger targets
From real-time payments to digitalisation, AI and quantum computing and AI, Asia Pacific banks are scaling new technologies rapidly. Each innovation expands the attack surface: faster payments compress detection windows and misconfigurations of cloud platforms or APIs may expose data if not secured properly. For example, an API-related vulnerability⁹ led to the exposure of over 9 million customer records in Australia at a cost of A$140m¹⁰.
At the same time, AI is enabling cyber-attacks at a faster pace and larger scale, while new technologies like quantum computing mean enterprises need to move to next-generation cryptography to secure their data.
What organisations should do: Proactively manage the expanding attack surface by securing APIs, cloud workloads, and digital identity platforms with continuous testing and zero-trust controls.
Organisations can also step up preparations for post-quantum cryptography and deploy AI-enabled detection tools to match the speed of real-time payments and AI attacks. Lastly, ecosystem-wide assessments can help enterprises and regulators to better map out the full extent of their services and networks, allowing them to detect potential gaps in peripheral systems or previously overlooked vulnerabilities in their integrated ecosystems.
What this means: Cybersecurity must become a boardroom discipline
Cybersecurity today is not simply a technical challenge to be delegated to CISOs. In Asia Pacific, it is a core business risk that demands strong executive ownership and enterprise-level coordination.
First, effective cyber resilience requires boards and senior leadership to set clear risk appetites, align security priorities with business strategy, and ensure accountability across technology, operations, legal, and third-party ecosystems. Only through clear leadership and a unified strategy can organisations design and sustain cybersecurity frameworks that keep pace with evolving threats and digital transformation.
Second, beyond technological solutions, cyber stewardship must be embedded across the leadership structure through ongoing role-based training. Executives and senior leaders need a clear understanding of cyber risk, decision making responsibilities, and crisis response to lead effectively during incidents. This shared literacy ensures cybersecurity is consistently considered in strategic decisions, not treated as a siloed IT concern.
Lastly, cybersecurity is an ecosystem level objective that no boardroom or organisation can achieve in isolation, especially as fraud operates at an industrial scale. Banks, fintechs, regulators, and technology providers must collaborate through intelligence sharing, common standards, and coordinated response mechanisms. Only industry-wide cooperation can address and match the speed, scale, and interconnectedness of today’s threats.
___________________________________________
¹ IBM X-Force 2025 Threat Intelligence Index - https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index
² Visa Biannual Threats Report: Five Forces Reshaping Payment Security in 2025 (Fall 2025) - https://corporate.visa.com/content/dam/VCOM/corporate/visa-perspectives/security-and-trust/documents/biannual-fall-2025-public-final.pdf
³ A US$25 million Hong Kong deepfake scam shows new AI risks in video calls - https://www.channelnewsasia.com/commentary/deepfake-scam-video-conference-zoom-hong-kong-employee-4103266
4 Disrupting the first reported AI-orchestrated cyber espionage campaign - https://www.anthropic.com/news/disrupting-AI-espionage
⁵ Visa Biannual Threats Report: Five Forces Reshaping Payment Security in 2025 (Fall 2025) - https://corporate.visa.com/content/dam/VCOM/corporate/visa-perspectives/security-and-trust/documents/biannual-fall-2025-public-final.pdf
6 Visa Biannual Threats Report: Five Forces Reshaping Payment Security in 2025 (Fall 2025) - https://corporate.visa.com/content/dam/VCOM/corporate/visa-perspectives/security-and-trust/documents/biannual-fall-2025-public-final.pdf
⁷ Cyberattack on Indonesia National Data Center - https://www.usasean.org/article/cyberattack-indonesia-national-data-center-pdn
⁸ World Economic Forum: Global Cybersecurity Outlook 2026 - Global Cybersecurity Outlook 2026 | World Economic Forum
⁹ Coding error in forgotten API blamed for massive data breach - Coding error in forgotten API blamed for massive data breach • The Register
¹⁰ Optus data breach class action launched for millions of Australians caught up in cyber attack - Optus data breach class action launched for millions of Australians caught up in cyber attack - ABC News