Across Western markets, policymakers are increasingly considering whether tighter controls, including potential restrictions on ransomware payments, could help curb the financial incentives that fuel cyber extortion. The intention is straightforward – if public sector bodies and critical infrastructure become less profitable targets, attackers may be less inclined to pursue them. In Singapore and across much of Asia, the approach is more measured and rooted in operational pragmatism.
Singapore has emerged as a regional leader in resilience-focused cybersecurity. While the government has not legislated an outright ban on ransomware payments, its guidance is unambiguous – organizations should focus on prevention, preparedness, and recovery capability, and payment should never form part of an organization’s planned response.
The Cyber Security Agency of Singapore (CSA) reinforced this position in its April 2025 advisory, calling for a multi-layered defense strategy, regular backups, and robust incident response planning to combat escalating ransomware threats. This reflects Singapore’s broader philosophy: risk management, operational resilience, and public-private collaboration over prescriptive mandates.
Through its active participation in the international Counter Ransomware Initiative (CRI), Singapore is encouraging greater information-sharing – providing guidance for critical infrastructure. The emphasis is build resilience before an incident, not in the middle of one.
The scale of the challenge
The threat itself is far from theoretical. IBM reports that Asia Pacific region accounted for 34 percent of all cyber incidents globally – the highest regional share and a 13 percent increase from the previous year. Despite discouragement from authorities, Commvault’s State of Data Readiness Asia Report revealed that 39 percent of organisations in Asia with ransomware demands paid the ransom, illustrating the challenges of enforcement and the harsh realities of operational pressure.
This highlights the tension between policy guidance and operational reality. When essential systems such as production lines, hospitals, or logistics systems are down, the cost of prolonged downtime can quickly outweigh the ransom itself.
In critical scenarios, organizations often feel they have no choice.
Why traditional deterrence isn’t enough
There is a growing consensus that deterrence alone will not stop ransomware – resilience, information-sharing, and rapid recovery are just as critical.
Attackers are already targeting vulnerable sectors such as manufacturing, logistics, and healthcare – industries critical to Asia’s economic engine. A single attack can ripple across operations, disrupting supply chains, halting production, and affecting entire business ecosystems.
Unplanned downtime, resulting from ransomware or other cyber incidents, can cost industrial businesses up to US$125,000 per hour. And for small and medium-sized businesses (SMBs), which make up over 90 percent of enterprises in Southeast Asia, such losses can be existential.
Many lack the resources or insurance coverage to absorb prolonged downtime. Given that ransomware attacks are an inevitability and the decision to pay a ransom is fraught with ethical, legal, and practical challenges – the only way forward for organisations is greater investments on prevention, detection, and rapid recovery technologies to strengthen organizational resilience.
Building business continuity in Asia from the inside out
Maintaining essential services during a cyberattack has become an absolute must-have – which means having a clear and actionable plan in place to restore critical systems, data, and processes. A ‘minimum viable company’ is a top-down business-led approach that enables organisations to prioritise the recovery of core operations until full recovery can be achieved. By protecting the key systems, assets, processes, and people needed to maintain essential services during a cyberattack, organizations can continue to operate when disruption hits and protect their long-term viability.
Building minimum viability starts well before an attack and requires identifying what truly matters for continuous business. In other words, the fundamental applications and services that must always stay secure and operational. Typically, this will include communication platforms such as email and collaboration tools, financial and customer-facing systems, and core operational workflows. Maintaining data integrity and availability will also be crucial for restoring operations and reducing the risk of reinfection. In this respect, immutable, air-gapped backups and regular recovery point testing and validation are vital for ensuring the availability of clean data for restoration.
Since resilience depends on people as much as technology, clearly defined incident procedures and regular scenario-based drills are essential for evaluating team response times and continually improving processes. The goal here is to test the organization’s readiness and ability to recover from an attack and identify areas that need strengthening.
Asia’s economies are among the most digitally advanced in the world. As cyber threats escalate, the region is charting its own path – one defined by collaboration, transparency, and operational readiness. Paying ransom may appear to buy time, but it rarely buys recovery. The stronger and more sustainable approach that one builds upon resilience, the higher the chances of ensuring that even in crisis, organisations remain viable, operational, and ready to recover.
Because in today’s threat landscape, the real measure of preparedness isn’t whether you can avoid being targeted – it’s how well you recover when you are.
Martin Creighan is Vice President, Asia Pacific at Commvault.
Martin Creighan is an accomplished executive with extensive experience in the technology and telecommunications sectors. Currently serving as Vice President of Asia Pacific at Commvault since June 2023, Martin previously held leadership roles, including Vice President & GM at Cloud Software Group and Vice President & Managing Director at Citrix, where responsibilities encompassed sales and business development across Australia and New Zealand. Additionally, Martin contributed to the American Chamber of Commerce Australia as a Non-Executive Director on the Board and managed AT&T’s operations in the region for over 16 years, beginning as Regional Account Director and progressing to Vice President & Managing Director. Earlier in the career, Martin acquired expertise in business development at Radware, SecureNet, and Baltimore Technologies. Martin holds a Bachelor of Business Administration from the National University.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Featured image: Growtika on Unsplash