Blogs

Stop Fining the Victim. Start Hunting the Hacker

Blog Banner

Written By

expert Image

Chari TVT

Board Director & Strategic Financial Advisor
LinkedIn Icon

More from Twimbit

Instagram IconLinkedIn IconInstagram Icon
Generate AI summary

Regulators across the region are reaching for the same lever: bigger fines. Singapore's proposed Digital Infrastructure Bill would let authorities fine data centres and cloud providers up to S$1 million, or 10% of local turnover, for cybersecurity and business-continuity failures. Malaysia's Cyber Security Act 2024 leans the same way, with heavy compliance duties and penalties on the operator, once something has already gone wrong. It looks tough. It is, in fact, the wrong target.

The House Analogy

If someone breaks into my home and takes RM5,000, I lodge a police report. The police pull the CCTV, trace the vehicle, and go after the burglar. Nobody fines me for owning a house that got robbed. Yet when a bank, an airport, or a telco is hacked, the instinct is to fine the victim of the crime, not to fund the hunt for the criminal. MAHB was attacked. Airlines have been attacked. Agrobank had an incident. In each case, the organisation was already fighting a criminal; punishing it afterwards does not deter the next attacker, and it quietly pushes management's attention away from running the business and toward defending against the regulator as much as the hacker.

Why Fines Are the Wrong Tool

  • Hackers are organised, often state-linked, and share tools and tactics across borders. No single bank, telco or SME can out-invest that scale alone.
  • A fine punishes the entity that was attacked, not the entity that attacked it. It treats a crime victim like a negligent party by default.
  • It pushes every SME, hospital and mid-sized firm to build its own security stack — expensive, duplicated, and still no match for professional threat actors.
  • Management time shifts from strategy and growth to compliance paperwork and post-incident liability, not to genuinely better defence.

The KYC Double Standard

There is a deeper inconsistency worth confronting. Regulators pursue banks and telcos relentlessly on Know-Your-Customer obligations — verifying identity, tracking beneficial ownership, filing suspicious-transaction reports, and paying heavy penalties for any lapse. Yet hyperscalers, cloud platforms and software providers, whose infrastructure is used by millions including the very perpetrators regulators are trying to stop, carry no equivalent obligation. Nobody asks them to know their customer, or to flag what their compute, storage or APIs are actually being used for. A bank that fails to verify a client faces sanction; a cloud platform that hosts the server from which an attack is launched faces none. If KYC is essential to prevent financial crime, it is equally essential to prevent cybercrime — and this double standard between who is policed and who is not cannot be reconciled.

A Smarter, Cheaper Model

Regulators should centralise the hunt, not decentralise the blame:

  • Engage a small panel of top-tier threat-intelligence firms — the calibre of Palo Alto Networks, CrowdStrike, Mandiant, McAfee — on a national retainer, working directly with hyperscalers (AWS, Azure, Google Cloud) and local telco/router providers.
  • Hackers operate in patterns: known infrastructure, signatures, command-and-control behaviour. A centrally coordinated team, sitting inside the hyperscaler and network layer, can detect and block these patterns once, for everyone — far cheaper than 10,000 organisations each buying their own defence.
  • Require SIRIM-style certification for software and AI systems before they go live in critical sectors — the same discipline already applied to phones and telecom equipment — covering resilience against attacks and against deepfake/synthetic-media fraud.
  • Use fines, where still necessary, to fund this national capability and not as the primary deterrent.

The Ask

Redirect the current policy instinct. Instead of a compliance regime that makes every bank, telco, hospital and SME individually and separately liable, build one national capability that actually detects and stops the attackers, in partnership with the hyperscalers and the security industry leaders who already do this globally. That protects the country at a fraction of the collective cost, and lets management get back to running their businesses instead of bracing for the next fine.