Welcome back to Continuum Risk Update. Every Friday we pull the top Asia headlines on digital-asset regulation, cyber risk, industry moves and insurance signals, with concise takeaways and practical actions for insurers and corporate risk teams.
1) Regulatory
South Korea’s end-of-May crypto compliance deadline hits as exchanges race to implement kill switches
The FSC’s post-Bithumb reform package reaches its implementation deadline this week, requiring all Korean crypto exchanges to complete upgrades to 5-minute asset reconciliation, automated kill switches that halt transactions on detected discrepancies, and monthly external audit cycles. The original Bithumb incident in February saw 620,000 BTC accidentally credited to 249 users due to a single system error. With the deadline landing at end of May, exchanges that fail to demonstrate compliance face regulatory action as South Korea integrates these controls into its broader digital asset framework law.
Thailand Bitcoin and Ether ETFs advance as Southeast Asia races to become the region’s digital asset hub
Following SEABW’s close, Thailand is pressing ahead with its push to position Southeast Asia as a rival to Hong Kong and Singapore on digital asset infrastructure. The Thai SEC’s approval of crypto ETFs and regulated futures trading on TFEX, combined with a five-year capital gains tax exemption running through 2029, is drawing institutions that were previously sitting on the sidelines. The competitive dynamic between Bangkok, Singapore, and Hong Kong is accelerating regulatory clarity across the region faster than any single regulator could achieve alone.
2) Hacking & Physical Risks
TrapDoor supply chain attack targets crypto and AI developers across npm, PyPI, and Crates.io (May 24-25)
Socket disclosed a sophisticated malware campaign on May 24 that planted 34+ malicious packages and 384+ related versions across the three major developer package repositories. TrapDoor targets developers building crypto, DeFi, Solana, and AI protocols, stealing GitHub tokens, SSH keys, cloud credentials, and wallet data before any code ships. The campaign also injected hidden directives into .cursorrules and CLAUDE.md files to manipulate AI coding assistants into running data exfiltration routines disguised as security scans. For insurers writing smart contract and protocol cover, this confirms the pre-deployment layer is now an active attack surface.
“The next big DeFi exploit will start before the code is deployed” — and 2026 is proving it
A CryptoSlate analysis published this week argues that the industry’s focus on on-chain vulnerabilities is misplaced: the real entry points are now the developer environments, CI/CD pipelines, and dependency chains that determine what code reaches mainnet. The TrapDoor disclosure this week is cited as the clearest live demonstration yet. For underwriters, this shifts the risk profile of smart contract cover: a protocol can pass every audit and still be compromised weeks before it launches.
3) Industry & Markets
APAC insurance M&A holds steady as Australia records seven deals in Q1, led by Zurich’s $415M ClearView acquisition (May 25)
Despite broader APAC dealmaking caution, Australia and New Zealand drove regional insurance M&A with seven transactions in Q1 2026, up from one the prior quarter. The headline deal is Zurich’s pending $415.2M acquisition of ClearView Wealth, described by S&P Global as Zurich’s largest whole-of-company transaction in APAC in nearly a decade. A second deal saw International Medical Group acquire World Nomads from Nib Holdings for $48M to expand travel insurance distribution into Australia. Japanese insurers and private equity continue to be flagged as the primary drivers of deal activity through the rest of 2026.
Australian commercial insurance market remains soft through H1 2026
A May 2026 Insurance Business report confirmed that Australia’s commercial insurance market continues to soften across most lines heading into the second half of the year, with pricing pressure most visible in property and cyber. The softening is partly attributed to increased capacity flowing into the market and a relatively low major loss year to date. For Continuum, the soft Australian market creates both competitive pressure and an opportunity to differentiate on coverage quality and digital asset expertise as regional insurers reprice.
4) Insurance Spotlight
CyberCube and UIB identify Asia as cyber insurance’s next major growth frontier (May 26)
A joint report from CyberCube and United Insurance Brokers published May 26 positions Asia as one of the fastest-growing cyber insurance markets outside the US, driven by surging ransomware activity, rapid digitisation, and structurally low penetration. In many Asian markets, fewer than 5% of small businesses hold standalone cyber policies despite accelerating digital exposure from 5G, AI, and supply chain integration. Vietnam was identified as one of the fastest-growing ransomware targets in the region. The soft pricing environment in Western markets is actively pushing insurers toward Asia as the next volume growth opportunity.
Korea falls behind on cyber insurance as attacks nearly double in two years
South Korea recorded 2,383 cyber incidents in 2025, nearly double the level from two years prior, yet its cyber insurance market accounts for just 0.02% of global premiums. Only 2.7% of Korean companies hold a policy, and only 14.5% are even aware that cyber insurance exists. The low take-up is partly a cultural issue: firms prefer to handle incidents internally to contain reputational damage. As the FSC tightens exchange-level controls and AI-powered attacks intensify, Korea represents one of the starkest protection gap opportunities in the region for insurers with the right distribution approach.
