Cybersecurity and geopolitical risks in financial markets

ASEAN’s regulatory landscape for cybersecurity is maturing against the backdrop of accelerating digitalisation and rising cyber threats. Historically, ASEAN member states pursued disparate approaches to cyber risk, reflecting varying stages of economic development, financial market sophistication, and institutional capacity. More recently, however, the bloc has recognised that collective resilience requires more coherent and harmonised regulatory frameworks (ASEAN, 2021[40]).

Central to these efforts is the understanding that cyber threats are transnational, with malicious actors exploiting jurisdictional gaps. To close these gaps, ASEAN has committed to enhanced regional co‑operation guided by principles of shared responsibility, mutual trust, and capacity building. The region’s overarching policy documents, such as the ASEAN Cybersecurity Co‑operation Strategy (2021 – 2025), ASEAN plus Three Co‑operation Work Plan (2023 – 2027) and the ASEAN Digital Masterplan 2025, emphasise closer alignment of national cybersecurity strategies, the creation of common reporting standards, and the development of joint incident response protocols (ASEAN, 2021[83]; 2021[40]; 2022[84]).

ASEAN has also moved to translate high-level commitments into implementation guidance, including a checklist that operationalises the UN norms of responsible state behaviour in cyberspace into practical steps for members (ASEAN, 2025[85]). Recent ministerial-level engagements underscore this shift toward regional alignment. For example, the 10th ASEAN Ministerial Conference on Cybersecurity (AMCC), convened alongside Singapore International Cyber Week in October 2025, framed cybersecurity as a cross-pillar issue and reiterated the importance of a rules-based approach to cyberspace governance (ASEAN, 2025[86]). This co‑operation agenda has also been reinforced through extra-regional dialogues. At the 6th U.S.-ASEAN Cyber Policy Dialogue (Singapore, October 2025), participants highlighted shared threats, emphasised readiness and critical infrastructure defence, and took stock of the launch of the ASEAN Regional CERT as a practical step toward faster cross-border incident co‑ordination (U.S. Department of State, 2025[87]).

The ASEAN Cybersecurity Co‑operation Strategy (2021 – 2025), establishes a framework for member states to share threat intelligence, conduct joint training exercises, and co‑ordinate on cross-border cyber incident reporting (ASEAN, 2021[40]). Under this agreement, dedicated working groups have been formed to address technical, legal, and policy challenges. While implementation is ongoing, observers note that progress in information sharing and best practice dissemination has already improved baseline security awareness among institutions (ASEAN Regional Forum, 2024[88]). The same dialogue also pointed to the ASEAN Cybersecurity Co‑operation Strategy 2026‑2030 and efforts to elevate cybersecurity in ASEAN-led fora, signalling that “framework-building” is increasingly paired with operational co‑ordination (ASEAN, 2021[40]). Recent co‑operation has become more operational: in October 2025, ASEAN Member States convened in Singapore for the first in-person ASEAN CERT Incident Drill (ACID), which tested cross-border response co‑ordination and piloted a regional information-sharing mechanism for threat intelligence exchange (CSA, 2025[89]).

To operationalise these commitments, ASEAN has established various institutional mechanisms. The ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE) provides a platform for training, capacity-building, and knowledge exchange. National Computer Emergency Response Teams (CERTs), co‑ordinated regionally, now engage in joint exercises and scenario planning to bolster collective preparedness. These institutional advancements foster a sense of community and shared purpose, encouraging member states to invest in upgrading their regulatory and supervisory capabilities (ASEAN Regional Forum, 2024[88]).

As ASEAN has uneven mechanisms in place, their efficacy varies largely because countries have diverse perceptions of cyber threats. Approaches to address cybercrime vary across international, regional and national fronts. While the regulation progress is not uniform at the national level across the entire region and not all countries have reached the same level of cybersecurity systems, several ASEAN member states have demonstrated significant efforts in supporting the development of cyber norms (Socquet-Clerc et al., 2023[90]).

However, while recognising the need to strengthen collective efforts to address cybersecurity challenges, the ASEAN leaders have made efforts for greater co‑operation and co‑ordination among ASEAN Member States on cybersecurity policy development and capacity building initiatives (ASEAN, 2021[91]). In 2018, the ASEAN Leaders issued the ASEAN Leaders’ Statement on Cybersecurity Co‑operation and established the ASEAN Cybersecurity Co‑ordinating Committee (Cyber-CC) in November 2020, with a view to strengthening cross-sectoral and cross-pillar co‑ordination on cybersecurity policies, and on multidisciplinary measures to respond to the rapidly growing challenges in cyberspace.

Meanwhile, sectoral bodies under the political security community pillar continue to contribute to addressing cybersecurity. ASEAN Senior Officials Meeting on Transnational Crime (SOMTC), for example, has a Working Group on Cybercrime and has operationalised multi-year programmes of the ASEAN Cyber Capability Desk (ASEAN Desk) lodged at the INTERPOL Global Complex for Innovation in Singapore. Recent initiatives also show capacity-building moving from national-level training toward strengthening regional institutions. In late 2025, partners and member states explicitly discussed technical assistance to strengthen ASEAN Secretariat networks, while a partner-funded cybersecurity enhancement project for the ASEAN Secretariat’s IT and network infrastructure concluded with a formal closing and handover, illustrating how “institutional resilience” is becoming part of the regional toolkit (U.S. Department of State, 2025[87]).

While progress is evident, the ASEAN region continues to face notable challenges. Limited financial and human resources, uneven technical capabilities, and diverse legal traditions can hamper full harmonisation of cybersecurity regulations. Developing economies may struggle to meet stringent international standards without technical assistance, financial support, and training programmes that help bridge capacity gaps (Socquet-Clerc et al., 2023[90]).

Consequently, capacity building is a top priority. Partnerships with multilateral institutions, such as the Asian Development Bank (ADB), the World Bank and the International Monetary Fund (IMF), as well as collaboration with advanced economies and global technology firms, are helping ASEAN regulators strengthen their supervisory toolkits. Importantly, “supply chain security” in ASEAN increasingly extends beyond vendor due diligence to the resilience of shared infrastructure nodes. Joint exercises, workshops on vulnerability disclosure, and subsidised training in forensic analysis and threat intelligence collection enable regulators to keep pace with rapidly evolving threats. By incrementally raising the regulatory floor, ASEAN aims to reduce the disparities that attackers can exploit (IISS, 2023[80]).

Capacity building is also increasingly supported by external partners: recent initiatives expanded cybersecurity training programmes delivered via Malaysia’s Cybersecurity Center of Excellence, aiming to grow cyber talent and strengthen resilience across Southeast Asia (The Globe and Mail, 2025[92]). Recent initiatives also point to more concrete, programme‑based capacity building, including partner-supported efforts to enhance the ASEAN Secretariat’s IT and network cybersecurity, signalling continued investment in institutional resilience.

Regulation in ASEAN increasingly reflects a risk‑based philosophy, acknowledging that not all institutions face the same exposure or capacity constraints. Rather than adopting a one‑size‑fits‑all model, regulators encourage institutions to calibrate their cybersecurity investments according to their complexity, size, and systemic importance. Key financial market infrastructures, such as central counterparties, large payment systems, and systemically important banks, are therefore subject to more stringent requirements and closer monitoring. At the same time, supervisors recognise that major incidents often originate from basic security gaps, such as unpatched software, weak configurations, or control implementation failures, which smaller entities and third‑party providers are particularly prone to. As a result, less complex institutions, including small non‑bank lenders or rural banks, receive more targeted guidance and capacity‑building support to help them meet minimum standards and reduce these common “security‑hole” vulnerabilities (ASEAN, 2021[40]).

Market‑based incentives complement these regulatory mandates. For example, linking insurance premiums to the quality of an institution’s cybersecurity practices or integrating cyber‑resilience metrics into credit assessments can reinforce prudent behaviour. Because attackers frequently exploit the weakest link, while including suppliers and third‑party service providers with lower cyber maturity, which is strong baseline controls and timely remediation of known vulnerabilities improve not only firms’ security but also their market standing. Empirical banking research shows that cybersecurity risk interacts with banks’ risk‑taking incentives, supporting risk‑sensitive supervisory expectations (Sulong et al., 2025[93]). Institutions with better cybersecurity controls benefit from lower insurance costs, improved funding conditions, and greater investor confidence, strengthening the business case for continuous improvement (ASEAN, 2021[40]).

Given the prominence of SMEs in ASEAN’s economic structure, regulations increasingly highlight supply chain security. Authorities recognise that SMEs, while crucial for economic growth, often lack the resources to implement robust cybersecurity measures. Regulatory guidance now encourages large financial institutions to vet their third-party service providers rigorously, ensuring that critical data and operations are not outsourced to vulnerable suppliers (EY, 2021[94]). To support SMEs directly, regulators and industry associations have developed cybersecurity programmes, accessible training materials, and cost-effective solutions like pooled procurement of cybersecurity centres (ASEAN, 2024[95]). In some cases, public-private partnerships help subsidise these efforts. Over time, such measures aim to reduce systemic vulnerabilities and minimise the risk of cascading failures originating from ASEAN cyberspace‑targeted attacks (ASEAN, 2021[40]).

By proactively engaging in global discussions, ASEAN can influence the shaping of international norms and ensure that its voice, reflective of developing and emerging market perspectives, is heard. This inclusive approach helps maintain regulatory relevance in a geopolitical era where cyber threats increasingly intersect with trade, diplomacy, and economic security (ASEAN, 2021[91]).

Policymakers recognise that emerging technologies such as AI and quantum computing can be misused to manipulate markets, orchestrate synthetic identity fraud, or disseminate disinformation that destabilises investor sentiment (BIS, 2024[99]; MAS, n.d.[100]). In the geopolitical context, AI-driven attacks can serve as force multipliers, allowing organisation-driven intelligence adversaries to execute large‑scale social engineering campaigns at minimal cost.

Addressing these geopolitical challenges demands multi-layered responses. Bilateral and multilateral cyber diplomacy channels allow states to establish basic “rules of the road” in cyberspace, reducing the likelihood of escalation or miscalculation (UNODA, 2022[101]). Confidence‑building measures (CBMs), such as information exchanges, hotlines for incident reporting, and joint cyber risk assessments, foster transparency and mutual understanding.

Regional organisations and forums, including ASEAN, APEC, and the G20, can serve as platforms for discussing cyber norms and promoting responsible state behaviour in the financial domain. Capacity-building partnerships with advanced economies and private sector stakeholders can help ASEAN member states keep pace with evolving threats, ensuring that the region’s digital infrastructure is prepared to withstand geopolitically motivated attacks.