This is article part 8 of 15 in this report.
June 18, 2025
Asia-Pacific’s Commitment to Cyber Security Pays Off
Key takeaways
- Now is the time to consider obtaining cyber risk insurance. Asia Pacific businesses generally compare favorably to the global marketplace and can benefit from the competitive and growth-oriented industry.
- Cyber incident frequency was up 29% year-over-year and 134% over the last four years, contributing to a 22% rise in cyber insurance claims in 2024 over the prior year.
- AI is a driving force of cyber risk. The rise in AI-driven deepfake attacks resulted in a 53% increase in social engineering incidents year-over-year, and social engineering and fraud claims increased by 233%.
The good news is that many businesses across the Asia-Pacific (APAC) region are growing in cyber maturity. The 2024 overall reported risk score for Aon clients, according to Aon’s CyberQuotient (CyQu) data, was 2.73 out of four, or approaching managed — close to North American clients’ maturity scores. Year-over-year, the risk score across cyber domains saw an almost 16 percent improvement, and responding companies recorded the most substantial scores in network security and data security, which includes governance and user awareness and training.
APAC aligned with its global counterparts and saw a substantial rise in cyber claims notifications, an increase of 22 percent over 2023, while cyber incident frequency was up 29 percent year-over-year, and up 134 percent across the past four years (2020-2024).
APAC Incident Stats – rate of claims frequency index on Q1 ‘21
Despite the increased activity, insurers across the Asia Pacific remained profitable and did not realize significant losses across the year as businesses were able to recover systems and operations quickly post-breach. This is a testament to the success of proactive cyber risk management, the role played by cyber insurance premium relief, stricter underwriting by carriers and the growing prevalence of self-insured retention.
Geopolitical Forces and Regulations Shape Risk Profile
In the “year of elections,”2 more than 12 nations across the Asia Pacific region held federal or state elections across 2024, including Bangladesh, Bhutan, Cambodia, India, Indonesia, Japan, Pakistan, South Korea, Sri Lanka, Taiwan, Thailand and Australia.3 This record political activity also sparked a significant increase in the use of nation-state-sponsored deepfakes in what appeared to be an effort to confuse and create distrust in elections. This was reflected in a 53 percent increase in social engineering incidents year over year.
Geopolitical forces, such as trade disputes or tensions, territorial disputes or the reconfiguration of the supply chain, also shaped how companies thought about cyber risk. According to the Council on Foreign Relations, 63 percent of all suspected nation-state-sponsored cyber operations originated in the region.4 Asia-Pacific has become a dynamic hotbed of tension involving geopolitical rivals. Many critical industries have become the focus of advanced threat campaigns to support nation state’s objectives, destabilize rivals and reinforce influence.5 Accordingly, 2024 witnessed an escalation of cyber campaigns that targeted key industries, critical infrastructure operators, and supply chains of strategic importance.6 The increasing intensity of these campaigns was reflected in the number of incidents targeting the public sector, financial institutions, manufacturing, and technology. The APAC region is increasingly playing a significant role in key manufacturing and technology industries, and the manufacturing industry’s economic importance and the intellectual property it holds make it an attractive target for cyber espionage and intellectual property theft.7 In response to the rising risk, companies invested in key controls across physical and third-party security and resilience.
Cyber Domains | 2024 Asia-Pacific Data
Overall Risk Score 2.73
Highest Scoring
|
2.94
Network Security
|
Pen Testing
3.17
Network Environment
3.04
Wireless
2.73
|
|
2.92
Data Security
|
Governance
3.15
User Awareness Training
3.12
Data Classification
2.83
|
|
2.87
Physical Security
|
Physical Access
3.28
Environmental
3.13
Tampering & Alteration
2.10
|
CyQu Risk Maturity Scoring
Initial: 1.0 - 1.9
Basic: 2.0 - 2.5
Managed: 2.6 - 3.4
Advanced: 3.5 - 4.0
Lowest Scoring
|
2.35
Application Security
|
Training
1.87
Software Mgmt.
2.38
Secure Dev.
2.47
|
|
2.45
Third Party
|
Due Diligence
2.36
3rd Party Contracts
2.52
3rd Party Inventory
2.73
|
|
2.68
Business Resilience
|
BCM/ DR
2.56
Backup
2.58
Incident Response
2.88
|
CyQu Risk Maturity Scoring
Initial: 1.0 - 1.9
Basic: 2.0 - 2.5
Managed: 2.6 - 3.4
Advanced: 3.5 - 4.0
The regulatory landscape covering privacy, security, and artificial intelligence (AI) topics continued to evolve across the Asia-Pacific region, forcing risk leaders to adapt their approaches to cyber risk governance and data security. There are now 25 in-force or proposed cyber security and data privacy regulations across 14 Asia-Pacific countries.8 Furthermore, to address the risks associated with developing and deploying AI, 11 legislations and regulations covering the technology have been in force or proposed, and many companies have also issued AI governance frameworks and regulatory guidance.9 Several of these regulatory frameworks (for example in Australia and Indonesia) have been modeled on European Union risk-based models such as the General Data Protection Regulation, the Network and Information Security 2 Directive, and the EU AI Act. Indonesia was a regional leader in introducing privacy law, with the 2022 introduction of the Personal Data Protection (PDP) Law (Law No. 27), which established a comprehensive legal structure to protect personal data across all sectors.10
As the region continues implementing more robust regulatory models for cyber security, data privacy and AI risk management, maturity is improving across key controls, such as governance, data classification and third-party risk management of critical technology vendors.
The Shadow Risk — AI and the Expanding Digital Attack Surface
The Asia-Pacific region is experiencing a rapid acceleration in adopting AI and generative AI technologies, including software, services, and hardware designed for AI-driven systems.11 Palo Alto Networks warns that 2025 will see a perfect storm of AI-driven cyber threats that will escalate in scale, sophistication and impact.12 The increasing role of AI in security attacks explains the significant rise in incidents and claims involving deepfake social engineering and fraud (233 percent).13 Asia-Pacific experienced a 1,530 percent surge in deepfake cases from 2022 to 2023, marking it as the second-highest region in this concerning trend.14 In a high-profile case in Hong Kong, cybercriminals utilized an AI deepfake, a digitally manipulated video of a senior executive, to induce a finance department employee to transmit wire transfers valued at $25.6 million.15 Threat analysis of hacking groups, particularly Advanced Persistent Threats and nation-state-aligned groups, revealed that AI technologies, such as GenAI, are increasingly being used to scale and deliver campaigns across the region.16
Furthermore, the urgency to capture economic opportunities associated with new AI technologies has seen a rush to market of new products and services. Unfortunately, it is often at the expense of conducting robust legal, security and risk management reviews before launch. The unsanctioned or unknown uses of AI has created a wide and unsecured digital attack surface. Of the companies surveyed in Aon’s 2024 Intangible Versus Tangible Risks Comparison Report,17 79 percent of businesses reported using or intending to use artificial intelligence products and services, with only 32 percent reporting the existence of a formal inventory of all generative AI implementations. This risk is compounded by Aon’s analysis that 98 percent of chief risk officers reporting being “somewhat” or “not ready” to manage these new AI risks.18
There is also a growing trend in sophisticated scams and money laundering, underscoring the necessity to address and combat evolving fraud patterns. Bangladesh and Pakistan had the highest fraud rates in Asia-Pacific — and the world — in 2023, with rates of 5.44 percent and 4.59 percent, respectively. Singapore stands out for successfully reducing its fraud rate and Japan, Australia and Thailand have maintained their fraud rates at under two percent over 2021-2023.19
To combat these trends, companies in Asia-Pacific increased investment in user awareness training, to manage social engineering attacks; application security, to strengthen the security of new AI technologies; and third-party improvement, to help manage exposures from the deployment of AI vendors.
Growth-Oriented Cyber Insurance Marketplace
There is an intense focus on Asia-Pacific as a growth area for cyber insurance. Overall, organizations are proving to be more mature than the global market has historically anticipated and cyber insurance take-up in the region is markedly low, sitting at about 6 percent of the addressable market. Due to this, the region is experiencing significant competition among the many international insurers and increasing numbers of cyber insurance carriers entering from the London market. In response, the local insurance market is mobilizing to improve their policies and servicing. Collectively, this presents an ideal cyber insurance buyers’ marketplace. New and expanding risk necessitates a cyber insurance policy to protect against financial loss, while insurance carriers are lining up to help clients better understand, manage and transfer cyber risk.
Recommended Actions:
- Consider cyber risk insurance and enter the buyer’s market with confidence. Our CyQu data suggests that Asia-Pacific businesses compare favorably to the global marketplace.
- Use data and analytics to evaluate your organization’s cyber risk and maximize insurance. Forecasting loss scenarios, exposure assessment and total cost of risk are some of the essential data points for evaluating risk transfer mechanisms.
- When considering investing in AI, make certain to help protect that investment with proper cyber risk management and insurance protection.
References
[1] How North Korea’s unstoppable hackers are weaponizing AI. South China Morning Post. Leopold Chen. March 9, 2025. https://www.scmp.com/week-asia/economics/article/3301554/how-north-koreas-unstoppable-hackers-are-weaponising-ai
[2] The Year of AI and Elections. Council on Foreign Relations. Podcast. Gabrielle Sierra. https://www.cfr.org/podcasts/year-ai-and-elections. Lee Kuan Yew School of Public Policy. Report. https://lkyspp.nus.edu.sg/gia/article/a-record-year-of-elections-observations-from-2024
[3] A record year of elections: Observations from 2024. Council on Foreign Relations. Podcast. Gabrielle Sierra. https://www.cfr.org/podcasts/year-ai-and-elections
[4] Cyber Operations Tracker. Council on Foreign Relations. www.cfr.org
[5] The current impact of State-Sponsored Cybersecurity attacks in the Asia-Pacific Region. Modern Diplomacy. Guilherme Schneider. December 18, 2024. https://moderndiplomacy.eu/2024/12/18/the-current-impact-of-state-sponsored-cybersecurity-attacks-in-the-asia-pacific-region/
[6] The current impact of State-Sponsored Cybersecurity attacks in the Asia-Pacific Region. Modern Diplomacy. Guilherme Schneider. December 18, 2024. https://moderndiplomacy.eu/2024/12/18/the-current-impact-of-state-sponsored-cybersecurity-attacks-in-the-asia-pacific-region/
[7] The Changing: Cyber Threat Landscape Asia-Pacific Region – Volume 1. Cyfirma Decoding Threats. June 8, 2024. https://www.cyfirma.com/research/the-changing-cyber-threat-landscape-asia-pacific-apac-region-volume-1-2/
[8] Data Protection Laws of the World. An overview of key privacy and data protection laws across over 160 jurisdictions. DLA Piper. https://www.dlapiperdataprotection.com/
[9] Global AI Law and Policy Tracker. IAPP. November 2024. https://iapp.org/resources/article/global-ai-legislation-tracker/
[10] A New Chapter: Preparing for Indonesian Personal Data Protection Legislation. Aon. https://www.aon.com/apac/insights/blog/default/a-new-chapter-preparing-for-indonesian-personal-da
[11] Asia/Pacific* AI Investments to Reach $110 Billion by 2028, IDC Reports. IDC. Press Release. September 23, 2024. https://www.idc.com/getdoc.jsp?containerId=prAP52613324
[12] 2025 Cybersecurity Predictions. Asia-Pacific Region. Palo Alto Networks. December 21, 2024. Simon Green, President Asia-Pacific and Japan.
[13] How North Korea’s unstoppable hackers are weaponizing AI. South China Morning Post. Leopold Chen. March 9, 2025. https://www.scmp.com/week-asia/economics/article/3301554/how-north-koreas-unstoppable-hackers-are-weaponising-ai
[14] APAC Deepfake Incidents Surge 1530% in the Past Year Amidst Evolving Global Fraud Landscape. Sumsub Annual Identity Fraud Report. Press Release. November 28, 2023. www.prnewswire.com
[15] Company Loses Millions on Deepfake Scam. NFP. March 6, 2024. https://www.nfp.com/insights/company-loses-millions-on-deepfake-scam/
[16] Chinese and Iranian Hackers are Using U.S. AI Products to Bolster Cyberattacks. The Wall Street Journal. Dustin Volz and Robert McMillan. January 29, 2025. https://www.wsj.com/tech/ai/chinese-and-iranian-hackers-are-using-u-s-ai-products-to-bolster-cyberattacks-ff3c5884
[17] 2024 Global Intangible Versus Tangible Risks Comparison Report: De-risking AI, IP, and Cyber. Aon and Ponemon Institute. Report. 2024. https://assets.aon.com/-/media/files/aon/reports/2024/intangible-vs-tangible-risk-comparison-report-2024.pdf
[18] Aon global analysis.
[19] APAC Deepfake Incidents Surge 1530% in the Past Year Amidst Evolving Global Fraud Landscape. Sumsub Annual Identity Fraud Report. Press Release. November 28, 2023. www.prnewswire.com
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Chapters
Companies of all sizes will find these articles to be a resource and tool to help inform Cyber risk decision-making in 2025 and beyond. They can help start the conversation to help improve your organization’s cyber resilience.
