Welcome back to Continuum Risk Update. Every Friday we pull the top Asia headlines on digital-asset regulation, cyber risk, industry moves and insurance signals, with concise takeaways and practical actions for insurers and corporate risk teams.

1) Regulatory

Hong Kong finalises its crypto regulatory framework as SFC completes the final licensing pillar

SFC chief executive Julia Leung declared this week that the conclusion of its public consultation on licensing regimes for virtual asset advisers and managers marks “the final leg of our journey to complete the regulatory framework for digital assets.” The SFC now covers exchanges, custodians, dealers, and advisers under a single coherent framework. Hong Kong also has 13 publicly offered tokenized products with HK$10.7B in AUM as of March 2026, a sevenfold increase from the prior year. The completion of the framework removes the last regulatory ambiguity that was keeping institutional capital at the door.

Read more

Singapore Police and crypto exchanges block $4.2M in scam funds in second joint operation

The Singapore Police Force’s Anti-Scam Centre ran its second joint operation with Coinbase, OKX, Coinhako, Gemini, Independent Reserve, StraitsX, and Upbit between April 16 and May 31, using blockchain analysis tools from Chainalysis and TRM Labs to identify 145+ scam victims across investment, job, love, and government impersonation scams. Combined with the first operation in March, the two rounds have safeguarded over $7M in total. Singapore separately announced the launch of a dedicated Cyber Command unit in May, scheduled to begin operations in July 2026, focused on cybercrime investigations, scam disruption, and crypto-related crime tracking.

Read more

2) Hacking & Physical Risks

China-linked SHADOW-EARTH-053 targets government and defense sectors across South, East, and Southeast Asia

Trend Micro disclosed details of a sustained espionage campaign targeting ministries and contractors in Thailand, Malaysia, Pakistan, India, Myanmar, Sri Lanka, and Taiwan, alongside one European NATO member. The group exploits unpatched Microsoft Exchange and IIS servers, deploys Godzilla web shells for persistent access, and stages ShadowPad implants via DLL sideloading. A parallel track specifically surveils Uyghur, Tibetan, Taiwanese, and Hong Kong dissidents and journalists. The dual-track structure, government intelligence collection combined with activist targeting, is a direct signal that political and business cyber risk are converging across the region.

Read more


DoJ, Meta, Microsoft, and Coinbase dismantle Southeast Asia crypto fraud networks, freeze $3.8M

The US Department of Justice’s Scam Center Strike Force, partnering with Meta, Microsoft, Starlink, and Coinbase, dismantled pig-butchering, investment fraud, and human trafficking networks running out of Southeast Asian special economic zones. Results: 1.4M Facebook and Instagram accounts disabled, 20,000 Microsoft accounts suspended, $3.8M in crypto frozen, and 63 arrests by the Royal Thai Police. For insurers, the scale confirms that APAC digital asset flows remain deeply entangled with organised fraud infrastructure at the regional level.

Read more


3) Industry & Markets

DB Insurance closes $1.65B Fortegra acquisition in the first Korean carrier purchase of a US insurer

South Korea’s DB Insurance completed its acquisition of Florida-based specialty insurer Fortegra for $1.65B in cash, closing the largest purchase of a US insurer by a Korean non-life carrier. Fortegra reported $3.07B in gross written premiums in 2024, operates across all 50 US states and eight European countries, and holds an AM Best A- rating. DB Insurance will operate Fortegra as a wholly owned subsidiary with existing leadership intact. Analysts expect Hanwha Life, Samsung Fire & Marine, and KB Insurance to study this transaction closely as it has established the regulatory and deal-structuring playbook for Korean outbound M&A in Western specialty insurance.

Read more


Willis D&O survey: Asian boards rank cyber as their top liability risk, separating the region from the global cohort

Willis’s 2026 global D&O survey of 975 senior decision-makers across finance, insurance, healthcare, and industrial sectors found that 76% of Asian respondents rated data loss and cyberattacks as very important or extremely important, placing the region ahead of the global average where health and safety holds the lead. Geopolitical risk entered the top seven globally for the first time, reflecting the impact of the Iran conflict and US-China trade friction on boardroom risk priorities. For APAC D&O underwriters, the combination of elevated cyber concern and newly surfacing geopolitical exposure is reshaping what directors face in terms of personal liability.

Read more


4) Insurance Spotlight

Asia’s cyber insurance market shows structural signs of life after years of flat penetration

A Dark Reading analysis published May 29 found that Asia’s cyber insurance market is showing its first genuine structural growth signals, backed by the CyberCube/UIB report earlier that week confirming Asia as the global growth frontier for the segment. Sub-5% SME penetration across most Asian markets, combined with accelerating ransomware volumes, 5G rollout, and tightening regulatory disclosure mandates, is converting latent demand into active buying. India, Vietnam, and Southeast Asia are the primary growth pockets. The question is no longer whether the market will grow, but which distribution models and product structures will capture it first.

Read more


QBE warns cyber attacks are speeding up across Asia Pacific as ransomware dwell time collapses

QBE’s latest APAC threat intelligence found that the average time between attacker access and ransomware deployment has fallen 70% since 2021, from around 100 minutes to under 30 minutes in recent incidents, with some cases recording full encryption of thousands of endpoints in under 10 minutes. APAC is increasingly in scope for newer criminal groups looking for markets with less competition from established actors, and attackers are combining technical access with social engineering to scale impact. For insurers, shorter dwell times compress the incident response window that most policy structures were designed around.

Read more