By Rachael Johnson

Over a year since the Change Healthcare cyberattack in the US, Southeast Asia’s banking sector is being served its own wake-up call. The inevitability of cyber breaches is no longer in doubt — it’s the preparedness, adaptability, and resilience of financial institutions that are being tested.

Recent attacks on third-party providers in Singapore — including TOPPAN Next, which compromised customer statements at DBS Bank and Bank of China — have underscored just how exposed the region’s financial institutions are to vendor-based vulnerabilities. While neither banks’ core infrastructure was breached, the Monetary Authority of Singapore (MAS) has reiterated the need for banks to strengthen operational oversight and reinforce controls across their digital supply chains.

According to IBM’s 2025 X-Force Threat Intelligence Index, Asia-Pacific was the most attacked region globally in 2024, accounting for 34% of observed incidents. Much of this activity has targeted finance, insurance, and transport infrastructure — industries where legacy systems and fragmented security layers create ideal entry points for attackers. While cybersecurity investment has grown across Southeast Asian markets, many of the core challenges — human error, cross-functional silos, and underdeveloped incident response planning — persist.

ACCA members in countries like Singapore, Malaysia, and Indonesia consistently report that internal fraud risks remain underreported, and in some organisations, are culturally sensitive to raise. “There’s still a sense that acknowledging vulnerabilities means admitting failure,” noted one ACCA member in Singapore. “And that’s dangerous because it delays the very conversations we need to be having.”

The recent MAS enforcement action against DBS Bank, following multiple service disruptions, was a notable inflection point: operational resilience is no longer a compliance issue — it is now recognised as material financial and reputational risks. Additional capital buffers imposed by the regulator highlight that risk lapses now carry direct consequences.

Meanwhile, banks across the region are also facing internal strain. “We’re seeing teams burn out trying to interpret evolving regulatory expectations while also modernising their systems,” said another ACCA member in Kuala Lumpur. “There’s a limit to how much reactive effort can be sustained without leadership driving more integrated risk planning.”

It’s here that accountancy and finance professionals have a unique role to play. As stewards of internal control, budget scrutiny, and performance data, they are positioned to bridge the gap between technical cybersecurity priorities and wider business strategies. They can help ensure that risk appetite statements are not only written — but understood and actioned across teams.

Banks in Southeast Asia don’t need to be told a breach is inevitable. They know it. What’s needed now is a cultural shift — one that promotes shared accountability, values early warning signals, and recognises that resilience isn’t owned by a single function. It’s everyone’s business.

Rachael Johnson is global head of risk management and corporate governance for policy and insights at ACCA, the global trade body for professional accountants. She has been producing thought leadership on risk and governance for over 20 years and her recent focus has been on how accountancy professionals can do more to build organisational resilience in today’s fast-changing world. Her work includes the recent report, Risk Cultures in Banking: Where Next?, and the complementary podcast series. She manages ACCA’s Global Forum for Governance, Risk and Performance, and its monthly CROs and Heads of Risk lunch and learning sessions. In addition, she sits on the OECD’s BIAC committee for corporate governance and ISO’s Technical Committee 309 on governance of organisations.