Welcome back to Continuum Risk Update. Every Friday we pull the top Asia headlines on digital-asset regulation, cyber risk, industry moves and insurance signals, with concise takeaways and practical actions for insurers and corporate risk teams.
1) Regulatory
HKMA confirms 36 stablecoin applications — but only 2 will proceed
HKMA Chief Executive Eddie Yue confirmed on May 5 that the regulator received approximately 36 applications under the Stablecoins Ordinance since its launch, but only HSBC and Anchorpoint Financial (the Standard Chartered, HKT, and Animoca JV) cleared the first round. Future licenses will be issued conditionally and gradually, with approval tied to market conditions, risk levels, and the operational track record of the two initial issuers. “The goal is not to flood the market,” the HKMA made clear.
2) Hacking & Physical Risks
KelpDAO blames LayerZero for approving the flawed setup behind $292M hack — migrates to Chainlink CCIP
In the post-mortem fallout from April’s $292M rsETH exploit, KelpDAO publicly claimed that LayerZero personnel had actively approved the 1-of-1 verifier configuration that allowed attackers to forge cross-chain messages. Chainalysis confirmed that 47% of active LayerZero OApp contracts currently use the same vulnerable single-verifier setup. Kelp has since migrated its rsETH bridge to Chainlink’s CCIP — the first major protocol to publicly abandon LayerZero following the exploit.
3) Industry & Markets
Asia’s bank-anchored stablecoin frameworks are now spawning an application layer
A May 6 analysis by Insignia Business Review examined how APAC’s regulated stablecoin infrastructure — anchored by bank-issued HKD stablecoins in Hong Kong and MAS-compliant instruments in Singapore — is creating a new rails layer for fintech and payments companies. Rather than building on permissionless chains, the emerging application layer in Asia is expected to run on regulated, bank-backed instruments, with DTSP-licensed providers in Singapore interoperable with HKMA-approved issuers in Hong Kong.
4) Insurance Spotlight
Morgan Lewis: Cyber risk in Asia is no longer an IT problem — it’s a board liability and insurance imperative
A widely circulated Morgan Lewis briefing published in April mapped how APAC’s wave of new cyber legislation — including Hong Kong’s Critical Infrastructure Ordinance (effective January 2026), Singapore’s expanded Cybersecurity Act, and similar frameworks in Malaysia and Vietnam — is formally moving cyber risk from the IT department to the C-suite and board. Mandatory incident reporting windows, board-level accountability obligations, and regulatory audit rights now apply to critical infrastructure operators across multiple jurisdictions simultaneously.
