For business leaders across Asia-Pacific, 2026 presents a fractured operational reality. As Vivien Bilquez, global head of Cyber at Zurich Resilience Solutions (ZRS), observes: "The core dilemma is no longer single-peril analysis but the 'poly-crisis'—where multiple events come together to wreak havoc on operations."
In this environment, resilience transcends traditional risk management; it becomes a strategic imperative demanding integrated, data-led engineering. With ransomware frequency plateauing yet severity surging—ransom demands have escalated by 47%, and 80% of incidents now involve data exfiltration—organisations must shift from reactive defence to proactive quantification and adaptation.
Geopolitical fragmentation and regulatory friction
Global trade's splintering into US and China-centric blocs has introduced profound complexity for Asian enterprises.
Export controls, data localisation mandates, and divergent cybersecurity regulations create what Bilquez terms "compliance friction"—costly operational overhead that strains resources and delays market entry.
"How dependent are we on rare earth elements or advanced components from contested sources?" he asks, urging leaders to map critical dependencies and assess sanctions exposure. For multinational corporations operating across Southeast Asia, navigating this patchwork requires more than legal counsel; it demands embedded risk engineering.
As Zurich's insights note, public-private partnerships are increasingly vital for addressing risks such as natural disasters or terrorism, where some exposures remain unquantifiable and uninsurable without state collaboration.
Climate stress meets digital vulnerability.
Climate change amplifies every dimension of operational risk. Heatwaves across manufacturing hubs strain power grids, causing Operational Technology (OT) systems to collapse precisely when cyber adversaries exploit weakened defences.
"Are existing power backups designed for simultaneous crises—e.g., heatwave blackout plus ransomware—and can we recover in milliseconds rather than minutes?" Bilquez challenges.
Traditional backup infrastructure, designed for single-point failures, rarely accounts for compound shocks. The South China Sea and Strait of Malacca represent critical digital arteries; a severed cable could isolate financial centres from global markets within hours.
ZRS emphasises that resilience planning must now enrich Business Impact Analyses with geopolitical and climate scenarios, ensuring continuity playbooks address layered disruptions rather than isolated events.
The AI governance imperative
Artificial intelligence has fundamentally redefined the cyber perimeter. Zurich now formally includes AI within its definition of a computer system, expanding media coverage to encompass AI-generated content and AI-led attacks.
"Talk to us about the governance surrounding your AI implementation and key guardrails in place," Bilquez advises.
For Asian enterprises racing to deploy generative AI, this raises urgent questions: Are prompt-injection vulnerabilities assessed? Is the training data sourced ethically? Do closed-circuit alternatives exist for sensitive operations?
ZRS recommends a three-pillar approach: AI readiness assessments aligned with the EU AI Act and ISO 42001; governance frameworks defining roles, accountability, and model lifecycle controls; and specialised security testing addressing model extraction, data poisoning, and supply-chain risks. Without these guardrails, innovation becomes exposure.
Where digital threats become physical consequences
"If a nation-state or hacktivist group shuts down existing OT systems, what is the financial loss per hour of halted production?" Bilquez poses.
In Asia's industrial heartlands, where manufacturing, energy, and logistics rely on interconnected control systems, a cyberattack disabling cooling systems or chemical delivery mechanisms could halt production within minutes.
ZRS's OT security journey prioritises non-disruptive risk assessments aligned with IEC 62443 standards, continuous monitoring via platforms such as Claroty or Nozomi, and rigorous tabletop exercises that unite engineering, security, and executive teams.
As Bilquez stresses, resilience here means recovering in milliseconds, not minutes.
Beyond insurance: Quantifying self-reliance
Modern insurance policies increasingly exclude "sovereign cyber operations" through clauses like Stryker, which deny coverage for cyberattacks carried out as part of war by sovereign states.
"Do prevailing insurance policies exclude 'sovereign cyber operations', and have organisations moved from relying on insurance to building quantified self-resilience?" Bilquez asks.
This shift compels organisations to move from passive reliance on insurance toward building quantified self-resilience. Cyber Risk Quantification (CRQ) emerges as the cornerstone methodology, leveraging Zurich's historical claims data, industry benchmarks, and threat simulation engines to model financial exposure across scenarios such as ransomware, data leakage, or supply-chain breaches.
The output? Executive-ready metrics that justify cyber defence budgets, prioritise control investments, and validate risk transfer strategies.
When an AI-driven disinformation campaign targets brand reputation, or when a climate event shuts down production facilities, the speed of response determines survival.
Vivien Bilquez
"When an AI-driven disinformation campaign targets an organisation's brand or a climate event shuts plants, do organisations have a playbook that unites engineering, the CISO, and the CFO within ten minutes?" Vivien Bilquez
Yet many Asian enterprises lack a unified playbook that quickly brings these functions together. ZRS advocates for pre-scripted crisis protocols that define decision rights, communication channels, and escalation paths before a crisis strikes.
Tabletop exercises—structured, discussion-based simulations—test these playbooks against hybrid scenarios: a physical strike combined with data exfiltration designed to manipulate stock prices. The goal is not perfection but preparedness: identifying gaps, refining coordination, and building muscle memory for high-stakes moments.
Building the resilience ecosystem
Ultimately, resilience in 2026 demands an ecosystem approach. ZRS combines over 100 cyber engineers with 1,000 risk specialists across manufacturing, energy, healthcare, and logistics to deliver integrated advisory services.
From Cyber Risk Quantification and OT assessments to AI governance and third-party risk management, the portfolio addresses the full spectrum of emerging threats. Crucially, these services are data-led: benchmarking customer maturity against industry peers, leveraging real-world claims insights, and continuously updating threat models.
For Asian enterprises navigating economic uncertainty and climate volatility, this partnership model offers more than protection—it enables strategic agility.
Questions for leadership
As Bilquez concludes, putting an organisation on the path to resilience begins with disciplined inquiry: "How dependent are we on contested supply chains? Are our backups designed for simultaneous crises? Do we treat managed service providers as critical infrastructure? Have we stress-tested response plans against hybrid attacks?"
By confronting these questions with evidence-based engineering, Asian businesses can transform vulnerability into fortified readiness. In an era of poly-crisis, resilience is not a destination but a continuous discipline—one that Zurich Resilience Solutions helps leaders embed across strategy, operations, and culture.
As Bilquez affirms: "Resilience means stress-testing for layered shocks—where a trade war, a flood, and a data exfiltration all arrive on the same Tuesday." For Asia's leaders in 2026, that foresight is the ultimate competitive advantage.
