As 2025 draws to a close, banks and financial institutions across Asia face an escalating and increasingly sophisticated cyber threat landscape. Regulatory scrutiny is intensifying, digital transformation continues unabated, and attackers—now armed with generative AI—are operating at unprecedented speed and scale.
According to the 2025 Cost of a Data Breach Report by IBM, the average cost of a breach in the financial sector globally reached USD 5.73 million, with Asia-Pacific organisations experiencing a 12% year-on-year increase in incident frequency. In this context, the traditional reactive security model—focused on detection and response—is no longer sufficient.
CISOs across the region are under mounting pressure to future-proof their institutions. The answer, increasingly, lies in preemptive cybersecurity: a proactive strategy that seeks to deny, disrupt, and deceive attackers before they can inflict harm.
Why preemptive cybersecurity matters now
Gartner defines preemptive cybersecurity as “a strategic approach that proactively denies, disrupts, and deceives attackers before an attack can succeed,” marking a decisive shift from reactive to anticipatory defence.
For Cezary Piekarski, group chief information security officer at Standard Chartered, this means “not waiting for harm to reach the Bank or our clients.” He explains: “It is about actively shaping the environment so adversaries waste time, expose themselves, and fail at scale.”
In Asia’s dense fintech ecosystems—where open banking, real-time payments, and cross-border digital wallets are proliferating—attack surfaces have expanded exponentially. Cybercriminals are exploiting these seams, particularly through supply chain compromises and identity-based attacks.
Piekarski notes that “traditional security tools often fail to detect advanced threats before impact,” underscoring the urgency for more dynamic defences.
“An advanced deception environment needs to integrate multiple components such as decoys, lures, and breadcrumbs across enterprise systems, and blend with legitimate assets creating a digital maze that safely attracts and studies the attackers in real time,” he continues.
“Given our privileged role in safeguarding client assets and trusts, financial institutions need to be more actively disrupting criminal operations, going beyond networks and endpoints to disrupt the financial value chain itself.” Cezary Piekarski
He argues that deception enables security teams to shift from reacting to incidents to anticipating them. “It helps us make the bank a far more resilient and unpredictable environment for attackers, while ensuring our customers’ assets, transactions, and digital experiences remain safe and trusted,” he concludes.
AI and machine learning: From detection to prediction
Artificial intelligence and machine learning are central to the preemptive paradigm. As Piekarski observes, “Organisations can harness AI and machine learning for anomaly detection, behavioural analysis, fraud pattern recognition and AI-assisted alert triage.”
One critical application is identifying beaconing behaviour—when malware “calls home”—by establishing baseline behavioural profiles for every device. Deviations from these norms can trigger automated responses, potentially halting zero-day exploits before execution.
AI also plays a preventive role in human error. Piekarski highlights how “AI assistants can learn email patterns to understand the link between the email content and intended recipient,” thereby flagging misdirected emails that could lead to data leakage.
In Asia, where multilingual and multicultural workforces increase communication complexity, such contextual AI safeguards are especially valuable.
Threat intelligence and zero-day defences
The financial sector’s threat intelligence needs are uniquely demanding. Piekarski emphasises the importance of integrating “active infrastructure scanning, malware repositories, and brand-abuse identification” into a unified view.
Modern platforms using relational hypergraphs now enable institutions to map complex attacker infrastructures—crucial for anticipating campaigns targeting regional payment systems like India’s UPI or Thailand’s PromptPay.
Yet zero-day threats remain a stubborn challenge. “Many existing solutions rely on signature-based or pattern-based detection, which cannot identify new, previously unseen attacks,” Piekarski cautions.
However, he adds that “advanced controls that incorporate AI, machine learning, and behavioural analytics are improving detection capabilities by identifying anomalies.”
Still, he stresses that “no control can guarantee complete protection,” underscoring the need for layered, adaptive architectures.
Measuring what matters: Outcomes over activity
How should CISOs gauge the success of their preemptive strategies? Piekarski offers a clear framework: “First and foremost, by the outcomes: fewer successful compromises, lower client loss rates, reduced fraud losses, and faster containment of incidents when they do occur.”
He also advocates measuring “adversary friction”—for example, how often attackers are lured into decoys or how swiftly money-out channels are shut down.
Red and purple team exercises, he notes, provide independent validation, while “responsiveness and speed to deploy controls following new intelligence” reflect operational agility.
Ultimately, “when the organisation becomes a consistently expensive, high-friction target, the strategy is working.”
Regulatory realities in Asia
Asia’s regulatory environment is evolving rapidly. In 2025, the Monetary Authority of Singapore (MAS) updated its Technology Risk Management (TRM) Guidelines to expect “proactive threat-hunting and predictive controls” for systemically important institutions.
Similarly, Hong Kong’s HKMA now requires banks to demonstrate “resilience against AI-enabled attacks” in their cyber stress tests.
However, preemptive techniques—particularly deception technologies and autonomous AI responses—raise legal and compliance questions.
For instance, deploying honeypots that mimic customer data environments may conflict with data minimisation principles under Thailand’s PDPA or Indonesia’s PDP Law. CISOs must therefore ensure that deception fabrics are architected to avoid storing or simulating real personal data, aligning with local privacy frameworks.
Moreover, the use of AI in cybersecurity must comply with emerging AI governance codes. Singapore’s Model AI Governance Framework and Japan’s AI Principles both stress transparency and human oversight—requirements that apply equally to defensive AI systems.
Strategic shifts for 2026
“By 2030, preemptive cybersecurity solutions will account for 50% of IT security spending, up from less than 5% in 2024, replacing standalone detection and response (DR) solutions as the preferred approach to defend against cyberthreats.” Gartner
Piekarski urges CISOs to “take Gartner’s prediction as a mandate to move first,” advocating a reallocation of investments “from pure detection towards capabilities that continuously deny, disrupt, and deceive attackers.”
For the Bank’s group CISO, this includes AI-driven intelligence that anticipates behaviour, automated hardening, and deception fabrics embedded into critical journeys.
“With adversaries already weaponizing AI to scale reconnaissance and accelerate attack cycles, defensive AI must be used to stay ahead, not catch-up.” Cezary Piekarski
He stresses the need for “tight fusion between cybersecurity, fraud, and financial crime teams,” reflecting the blurred lines between cyber intrusions and monetary fraud in Asia’s digital-first banking landscape.
Additionally, CISOs must “help their Boards understand attacker economics—success is measured by making the institution commercially unviable to attackers.”
