Welcome back to Continuum Risk Update. Every Friday we pull the top Asia headlines on digital-asset regulation, cyber risk, industry moves and insurance signals, with concise takeaways and practical actions for insurers and corporate risk teams.
1) Regulatory
Southeast Asia Blockchain Week convenes regulators and stablecoin giants in Bangkok
Thailand’s SEC and senior officials from Indonesia gathered at ICONSIAM alongside Circle, Tether, Bitkub, and SCBX for the region’s flagship Web3 policy event. Thailand’s SEC Director confirmed digital assets as a core regulatory priority for the next three years, with plans to expand on-chain issuance and real-time settlement. Circle’s David Katz addressed USDC’s institutional rollout across APAC. The event puts Southeast Asia firmly on the map as an active rulemaking zone, not just a growth market.
Thailand SEC closes public consultation on crypto derivatives licensing simplification
Thailand’s SEC shut its public consultation window on May 20 for a proposal that would let licensed digital asset firms apply for crypto derivatives licenses without creating separate corporate structures. The reform builds on February’s Cabinet amendment formally recognising Bitcoin and Ethereum as eligible instruments for regulated futures trading. With the feedback period closed, Thailand is set to finalise one of the region’s most commercially significant licensing changes, directly affecting how institutional players structure derivatives exposure across Southeast Asia.
2) Hacking & Physical Risks
Verus-Ethereum bridge drained of $11.6M in live cross-chain exploit
Attackers exploited a validation flaw that allowed the bridge to release ETH-side funds without confirming backing on the Verus side. The stolen assets (103.6 tBTC, 1,625 ETH, 147,000 USDC) were swapped to roughly 5,402 ETH and the attacker wallet was pre-seeded via Tornado Cash 14 hours prior. Blockaid detected the attack live but could not prevent the drain. The exploit is one of eight bridge incidents Peckshield tracked through mid-May, which collectively totalled $328.6M, cementing cross-chain bridges as 2026’s primary attack surface.
Peckshield: eight bridge exploits, $328.6M drained in May alone
Peckshield’s mid-May tally confirmed that cross-chain bridge infrastructure is suffering its worst month on record, with eight major incidents logged before the halfway point. The losses compound an already brutal year: April alone saw over $600M stolen across 30+ DeFi incidents, led by the KelpDAO and Drift Protocol exploits. The pattern of bridge failures, concentrated in single-verifier and cross-chain validation architectures, is the clearest signal yet that smart contract cover underwriting needs bridge-specific risk segmentation.
3) Industry & Markets
Pro Global enters APAC insurance market with Australian advisory acquisition
Pro Global acquired GSI Professional Services, a specialist audit and advisory firm serving Australian insurers and MGAs, with founder David Mills staying on as head of region. The deal is a platform play for broader APAC expansion, targeting demand for delegated authority oversight as regulatory expectations tighten across the region. It signals that established global insurance services players are now actively building APAC infrastructure rather than servicing the region remotely.
Ascend and Honor Capital merge to create insurance industry’s first vertically integrated financial operations platform
InsurTech Ascend has agreed to merge with premium finance provider Honor Capital, combining insurance payment infrastructure with capital access in a single platform. The deal is positioned as the first fully integrated financial operations stack for the insurance industry, covering premium financing, payments, and reconciliation. As APAC insurers face rising pressure to digitise financial operations and reduce back-office friction, this kind of vertical integration signals where the market is heading.
4) Insurance Spotlight
AI is not cyber: insurers pricing the distinction wrong as early litigation mounts
A May 20 Insurance Journal viewpoint made the case gaining traction in underwriting circles: treating AI liability as a subset of cyber risk is a category error, and early litigation is proving it. AI failures are landing in product liability, professional negligence, and algorithmic discrimination frameworks, not data breach language. Berkshire Hathaway, Chubb, and Travelers have secured regulatory approval to exclude AI damages from over 80% of GL policy requests. Standalone AI liability products from Munich Re, Armilla, and Embroker are filling the gap with limits from $2M to $50M. Cyber policies with unaddressed AI wording face contested claims ahead.
India’s IRDAI mandates AI cyber readiness audit from every insurer by May 22
India’s insurance regulator IRDAI issued an emergency directive this week requiring all insurers, reinsurers, brokers, and TPAs to submit a formal Action Taken Report on frontier-AI cyber readiness by May 22. Firms must detail their preventive, detection, and response mechanisms against AI-enabled threats, covering sensitive data assets and legacy IT systems. With less than a week’s notice given, the directive exposes how underprepared much of the sector remains. IRDAI’s revised Cyber Security Guidelines, issued in April and replacing the 2023 framework, underpin the mandate.
