Blogs
in culpa qui officia deserunt mollit anim id est laborumLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Regulators across the region are reaching for the same lever: bigger fines. Singapore's proposed Digital Infrastructure Bill would let authorities fine data centres and cloud providers up to S$1 million, or 10% of local turnover, for cybersecurity and business-continuity failures. Malaysia's Cyber Security Act 2024 leans the same way, with heavy compliance duties and penalties on the operator, once something has already gone wrong. It looks tough. It is, in fact, the wrong target.
If someone breaks into my home and takes RM5,000, I lodge a police report. The police pull the CCTV, trace the vehicle, and go after the burglar. Nobody fines me for owning a house that got robbed. Yet when a bank, an airport, or a telco is hacked, the instinct is to fine the victim of the crime, not to fund the hunt for the criminal. MAHB was attacked. Airlines have been attacked. Agrobank had an incident. In each case, the organisation was already fighting a criminal; punishing it afterwards does not deter the next attacker, and it quietly pushes management's attention away from running the business and toward defending against the regulator as much as the hacker.
There is a deeper inconsistency worth confronting. Regulators pursue banks and telcos relentlessly on Know-Your-Customer obligations — verifying identity, tracking beneficial ownership, filing suspicious-transaction reports, and paying heavy penalties for any lapse. Yet hyperscalers, cloud platforms and software providers, whose infrastructure is used by millions including the very perpetrators regulators are trying to stop, carry no equivalent obligation. Nobody asks them to know their customer, or to flag what their compute, storage or APIs are actually being used for. A bank that fails to verify a client faces sanction; a cloud platform that hosts the server from which an attack is launched faces none. If KYC is essential to prevent financial crime, it is equally essential to prevent cybercrime — and this double standard between who is policed and who is not cannot be reconciled.
Regulators should centralise the hunt, not decentralise the blame:
Redirect the current policy instinct. Instead of a compliance regime that makes every bank, telco, hospital and SME individually and separately liable, build one national capability that actually detects and stops the attackers, in partnership with the hyperscalers and the security industry leaders who already do this globally. That protects the country at a fraction of the collective cost, and lets management get back to running their businesses instead of bracing for the next fine.
Join 6000+ industry executives who trust us.