Cybersecurity Sector Risk Assessment: Southeast Asia

Southeast Asia absorbed more than 135,000 blocked ransomware attacks in 2024, with Indonesia accounting for 57,554 and Vietnam 29,282 according to Kaspersky data. [Vietnam News] These are blocked attempts — the number of successful intrusions is not publicly disclosed, which is itself a finding: the region lacks a mandatory breach notification culture outside Singapore, making the true incident rate unknowable. Singapore is the exception: its Cyber Security Agency confirmed 159 ransomware attacks in 2024, a 21% increase, alongside 6,100 phishing cases, up 49%. [CSA Singapore]

The character of the threat has shifted. State-sponsored actors are no longer probing perimeters — they are resident inside networks. The CL-STA-1020 campaign (late 2024 into 2025) used AWS Lambda for command-and-control communications against Southeast Asian government targets, exfiltrating trade negotiation data through legitimate cloud storage services to avoid detection. [Palo Alto Unit 42] The use of hyperscaler infrastructure as attack plumbing is a direct challenge to network-based detection: if malicious traffic looks identical to legitimate AWS API calls, signature-based tools fail. A separate campaign attributed to a Chinese-backed group breached Thai government institutions, with initial access traced to 2023 — meaning the attacker was resident for over a year before discovery. [Research and Markets]

Manufacturing is the most targeted sector across APAC at 40% of incidents, followed by finance and insurance at 16% and transportation at 11%. [IBM X-Force via Research and Markets] For cybersecurity vendors, this concentration matters: a platform strong in financial services but light on OT and industrial protocol coverage is structurally exposed as the threat profile shifts toward operational technology.

Southeast Asia has no equivalent of the EU's GDPR — a single framework that, however imperfect, allows a vendor to build one compliance architecture and deploy it across a bloc. Instead, a cybersecurity company operating across Malaysia, Singapore, Indonesia, Thailand, and Vietnam faces five distinct legal regimes, each at a different stage of development and each with different data localisation, incident reporting, and licensing requirements. This is not a future risk — it is a present operating cost. Vendors must maintain separate legal counsel, separate data infrastructure, and separate compliance teams in each jurisdiction. [DFDL]

Vietnam's amended Cybersecurity Law, effective January 1, 2026, is the most structurally significant recent development. [DFDL] It establishes a national list of critical information systems, introduces three-tier risk classification with escalating obligations — Level 3 systems require dedicated security teams and mandatory audits — and imposes licensing and import controls on cybersecurity products and services including penetration testing and threat monitoring. Any foreign cybersecurity vendor selling into Vietnam's government or critical infrastructure sector now requires a licence. The compliance timeline is immediate, not phased. Vietnam's Personal Data Protection Law (Law No. 91/2025/QH15) also took effect January 1, 2026, adding a second concurrent compliance obligation. [DLA Piper]

Malaysia activated key PDPA amendment provisions in two tranches: cross-border data transfer rules on April 1, 2025, and mandatory Data Protection Officer appointment plus breach notification on June 1, 2025. [ASEAN Briefing] No public statements from named cybersecurity firms confirming their compliance posture have appeared in available sources — this absence itself signals that the sector has not yet developed a culture of compliance transparency comparable to European peers. For investors assessing portfolio companies, the inability to verify compliance status is a due diligence gap that carries direct liability exposure if a breach triggers a regulatory action.

Deepfake-enabled identity fraud is not an emerging risk in Southeast Asia — it has already arrived. Asia-Pacific recorded a 1,530% increase in deepfake fraud cases between 2022 and 2023, the second-highest rate globally, concentrated in Indonesia and Vietnam where high mobile penetration and rapid fintech adoption create large attack surfaces. [Oz Forensics] The mechanism is straightforward: generative AI tools can now replicate faces, voices, and document appearances well enough to pass eKYC verification in banking, fintech, and telecoms onboarding flows. Regulators in Indonesia and Vietnam have already responded with stricter biometric mandates and SIM registration reforms — confirming that the threat is considered operational, not theoretical, by the authorities closest to it.

The World Economic Forum's 2026 Global Risks Outlook ranks cyber-enabled fraud and phishing as the top near-term concern for CISOs globally, with AI vulnerabilities ranked second. [WEF] For Southeast Asian markets, this is compounded by the region's position as a target for both criminal and state-sponsored actors: AI-powered attack tooling does not require advanced technical capability to deploy at scale, which means the barrier for financially motivated criminal groups — already active in the region — has dropped materially. Oz Forensics describes the emerging dynamic as 'AI vs AI': fraud platforms will scale attacks industrially, and defenders will need AI-powered detection to respond at equivalent speed.

OT and critical infrastructure threats are growing but the regional evidence base is thinner. APCERT's 2024 Annual Report documents escalating malicious activities in the region but without granular OT-specific breakdowns. IBM X-Force data shows that manufacturing — the sector most dependent on OT security — accounts for 40% of APAC cyberattacks. [IBM X-Force] Quantum computing implications for cryptographic infrastructure are real but remain theoretical for this market over the 24-month horizon: no regional CERT or named vendor has published a timeline for quantum-relevant threats specific to Southeast Asia.

Supply chain compromise has become the default attack path for sophisticated actors targeting Southeast Asia. One in three organisations in the region has been affected by a third-party compromise according to available threat intelligence, a figure that reflects the region's rapid digital expansion outpacing its vendor security standards. [Trend Micro] Earth Lamia, tracked by Trend Micro, has been exploiting SQL injection and remote code execution vulnerabilities in web-facing servers across Southeast Asian IT and government targets continuously since 2023, using custom tooling — PULSEPACK and BypassBoss — developed specifically for this environment. The campaign is confirmed ongoing as of 2025 reporting. This is not an opportunistic actor; the sustained custom tool development signals dedicated targeting of the region.

The dependency of cybersecurity vendors themselves on hyperscale cloud providers creates a secondary layer of operational risk. CL-STA-1020's use of AWS Lambda for command-and-control demonstrates that cloud infrastructure is not a safe harbour — attackers are using it as cover. No specific named outages at regional cybersecurity vendors attributable to AWS, Azure, or Google Cloud failures appear in available sources, so this risk remains partially theoretical. What is confirmed is the direction: as more cybersecurity platforms shift their delivery to cloud-native architectures, their own infrastructure becomes a target surface, and a single hyperscaler incident affecting SEA availability would simultaneously impair multiple vendor platforms. No public data exists on how many regional cybersecurity vendors maintain multi-cloud redundancy or operate sovereign infrastructure in-country.

Cross-border data residency constraints add a third operational dimension. Vietnam's Decree 53/2022/ND-CP requires data localisation for specific service categories on Ministry of Public Security request. Indonesia's UU PDP imposes localisation requirements more stringent than regional peers. [Rouse] For a cybersecurity vendor running a regional security operations centre in Singapore and serving clients across five countries, these requirements may mandate either duplicated infrastructure or service segmentation — both of which increase cost and reduce the operational efficiency that justifies regional platform economics.

No specific funding rounds, acquirers, deal valuations, or revenue multiples for cybersecurity software companies in Southeast Asia have appeared in available sources for 2025 or 2026. This is not a research failure — it reflects a genuine market characteristic: Southeast Asia's cybersecurity sector is dominated by private companies and subsidiaries of regional conglomerates that do not disclose financials, and by foreign multinationals (CrowdStrike, Palo Alto Networks, Fortinet) whose regional revenue is not broken out in public filings. The practical consequence for investors is that there is no public comparable set from which to benchmark a valuation, assess a revenue multiple, or model an exit.

Globally, technology M&A reached approximately USD 809 billion through Q3 2025, with tech deals accounting for 24% of global M&A volume. [Chambers Technology M&A 2026] Strategic buyers dominate tech exits because they offer faster liquidity than public markets, and the regulatory environment for cybersecurity acquisitions — particularly those involving access to government networks or classified infrastructure — is more complex than in other tech sub-sectors. Southeast Asia's TMT sector showed resilient deal activity through Q3 2025 despite tighter funding conditions, dominated by strategic buyers. [Mondaq] But no cybersecurity-specific transactions were named in available sources, and no evidence of concentration risk among dominant regional players appears in the research.

The concentration risk is real but unquantified: the region's enterprise cybersecurity spend is known to be dominated by global platforms (Palo Alto Networks, Fortinet, Microsoft Defender) whose distribution networks and government relationships create high switching costs. Local players like Ensign InfoSecurity (Singapore) and Securemetric (Malaysia) operate in a market where the largest contracts are contested by global vendors with deeper balance sheets. No market share data by vendor for Southeast Asia is publicly available from a named source — any figure would be an estimate, not a finding.

The base case is that the threat environment continues to deteriorate faster than enterprise defences and regulatory frameworks can respond. The evidence for this trajectory is already in the data: attack volumes are rising, regulatory regimes are fragmenting rather than harmonising, and the adoption of AI-powered attack tooling is lowering the cost of sophisticated intrusions for criminal actors. The signal to watch is whether ASEAN governments move toward any shared incident reporting standard — absent that, the fragmentation risk compounds annually. Vietnam's January 2026 cybersecurity law is the most significant recent variable: its licensing requirements for foreign vendors could either strengthen the local ecosystem or reduce the quality of tools available to Vietnamese enterprises, depending on how the Ministry of Public Security applies them in practice.