Cloud cover: Forecasting digital disruption in a cybercrime climate | QBE Asia

The shift to public, private and hybrid cloud platforms is unlocking new efficiencies, driving automation and supporting artificial intelligence (AI) adoption. These advances are creating competitive advantages, but they are also unfolding against a threat landscape that is evolving even more rapidly. As businesses increase their reliance on cloud services, attackers are exploiting weaknesses such as poor identity controls, misconfigurations and unsecured data.

Generative artificial intelligence (GenAI) amplifies risk, enabling adversaries to act with greater speed and precision, while lowering the technical barriers for entry-level cybercriminals. With threat actors using GenAI to breach security systems, businesses are exposed to operational disruption, resulting in financial, reputational and potential regulatory impacts. Threats linked to GenAI use have manifested in deepfake± scams, identity fraud and automated phishing† attacks. Ransomware incidents continue to rise as a result, with the Information Technology-Information Sharing and Analysis Center (IT-ISAC) recording 1537 ransomware attacks in Q1 2025, compared to 572 in Q1 2024. The disruption they cause now represents a fundamental risk to organisations dependent on third parties, including cloud providers.

A proactive, resilience-first approach is essential. Businesses must embed risk management into their technology systems, anticipate third-party vulnerabilities and build continuity planning into their operations.

The scale of cloud adoption underscores the urgency in moderating this exposure. The global market is expected to exceed USD 5 trillion by 2034, up from USD 912 billion in 2025. As more organisations transfer infrastructure and data to the cloud servers, those servers become high-value targets. High-severity cloud alerts increased by 235% throughout 2024 compared with the previous year, reflecting both the surge in adoption and the increasing capability of attackers.

Most cloud-hosted attacks focus on business email compromise (BEC). Criminals exploit platforms such as Microsoft 365 to launch BEC phishing campaigns, which can open the door for taking over accounts or harvesting credentials, through a trusted cloud platform rather than via typosquatted domains or email spoofing. This means these attacks can be completed without triggering many common security measures. Additionally, state-linked threat actors and sophisticated cybercriminal groups are favouring cloud-specific threats to digital infrastructure.

Double exposure: ransomware and phishing

Nearly half of corporate data stored in cloud servers is classified as sensitive, making it attractive to ransomware operators. New ransomware variants are designed to scan for and target cloud-based collaboration tools, and attackers are increasingly able to move laterally between on-premises and cloud systems, encrypting or exfiltrating data as they go.

Phishing remains the leading access point for cloud-related incidents, accounting for one-third of intrusions in 2023 and 2024. Often, attackers leverage phishing tactics to steal credentials through adversary-in-the-middle (AITM) attacks. Threat actors have also been successful in exploiting cloud application flaws, using stolen legitimate credentials, and gaining access to privileged users or service accounts.

Supply chain and third-party dependencies

The growing convergence of data hosting and management has made third-party providers an attractive target for cybercriminals. A single compromised supplier can expose multiple businesses – sometimes hundreds at a time. Cloud and data storage is a likely target for threat actors of all capabilities, as data is growing in value on cybercriminal marketplaces.

By 2025, the volume of data stored worldwide is projected to reach 200 zettabytes (200 trillion gigabytes) across private and public IT infrastructures, utility infrastructures, private and public cloud data centres, personal devices and internet of things (IoT) devices. Half of this data will be stored in the cloud, compared with 43% of data stored in the cloud in 2024, an estimated 15% in 2020 and only 10% in 2015. This concentration of valuable data makes cloud providers and storage services appealing to attackers.

Nation-state actors

State-linked groups are increasingly exploiting weaknesses in cloud systems.

GenAI: defence or weapon?

GenAI is reshaping the cyber threat environment. Its usage and marketplaces look certain to surge over the next five years in Asia as GenAI tools bring productivity benefits across most, if not all sectors.

• ChatGPT has 755m and Microsoft Copilot 88m active users in 2025.
• ChatGPT users increased by 33% between December 2024 and February 2025.
• 78% of organisations deploy AI in at least one business function in 2025, up from 55% in 2024.
• 20-40% of employees actively use AI in their roles, particularly in programming.

But the misuse of the same technology for fraud and extortion has emerged as a widespread threat. Deepfake-enabled fraud is a particularly alarming development, where cybercriminals impersonate executives, board members and public figures using synthetic voices, videos and images.

These tactics are employed to deceive employees into transferring substantial sums of money to unauthorised accounts controlled by criminal networks. In 2024, deepfakes were implicated in nearly 10% of successful cyberattacks, with financial losses ranging from USD 250,000 to more than USD 20m.

State-sponsored attackers also use GenAI to write malicious code, using large language models (LLMs) to conduct reconnaissance and scale malware operations. Such actors may also target LLMs used by businesses for internal functions downstream, causing outages and integrity issues that disrupt operations.

Cybercriminal groups have increasingly leveraged GenAI and deepfake technologies to conduct financially motivated attacks across sectors on a global scale. GenAI is capable of crafting effective phishing templates or conducting highly sophisticated social engineering campaigns at speed. Low-capability cybercriminal attackers have used AI to assist in script development and malware coding. Businesses will likely face a rise in attacks from groups previously dismissed as too technically incompetent or resource-poor to pose a realistic threat. Ransomware extortion cases that were publicly disclosed increased by 54% in January-April 2025 compared with the same period the year before.

The cost of compromise

Successful ransomware attacks can trigger financial losses, reputational harm and even litigation, not only for the targeted business, but also for third-party providers and their customers. The widespread adoption of cloud services and other emerging technologies has coincided with a steady rise in ransomware activity in recent years. A major wave of attacks against organisations in the UK retail and finance sectors in May 2025, led by cybercriminal group Scattered Spider, highlights this pattern. The group relied on advanced social engineering and phishing to gain entry, impersonating trusted platforms through typosquatted domains of third-party SaaS providers and phishing kits that tricked victims into handing over credentials and session data.

Organisations worldwide continue to face significant disruption from third-party failures. Over the past two years, mass outages and cyber incidents originating from suppliers have affected multiple sectors. One of the most notable was CrowdStrike’s faulty update to its Falcon Sensor in 2024, which impacted around 8.5m Windows devices. While this represented fewer than 1% of all Windows machines, the outage had global consequences, with healthcare, aviation and other transport among the hardest hit sectors.

Cybercriminals quickly exploited the situation, launching follow-up phishing campaigns that used CrowdStrike-related lures to compromise systems, steal data and extort victims. Although the incident was not a targeted attack, it highlighted the systemic impact such failures can have on organisations reliant on SaaS for critical business functions. Previous attacks, such as the MOVEit mass vulnerability campaign and the NotPetya mass cyber attack, demonstrated similar ripple effects, disrupting downstream customers well beyond the original point of compromise.

Globally, organisations face the growing risks of operational downtime, financial loss and reputational damage as criminals exploit an expanding attack surface. The increasing use of third-party services such as cloud-hosting, external software or AI tools in day-to-day operations has given threat actors more opportunities to strike.

Resilience by design

If cloud adoption and AI integration accelerate at the expected pace, attackers will continue to benefit from increased opportunities and entry points, and businesses will remain vulnerable to attack. A robust strategy is essential to anticipate and withstand cyber incidents, particularly those arising from third-party services and cloud environments that now underpin critical business functions.

Building resilience means embedding cyber risk management into technology lifecycles from the outset. This involves implementing strong identity and access management (IAM) protocols, running regular configuration audits, and encrypting sensitive data across all cloud environments. Proactive measures such as continuous monitoring, threat intelligence, and incident response plans help detect and contain threats before they escalate.

Businesses should also evaluate the security posture of their third-party providers and establish clear protocols for managing supply chain exposure. By adopting these practices together, organisations will better protect operations, preserve continuity and maintain trust in an increasingly volatile cyber landscape.

Building resilience means embedding cyber risk management into technology lifecycles. This involves strong identity and access management protocols, regular configuration audits, and sensitive data encryption.

Steps to building cyber resilience

Mature organisations can build proportionate cyber resilience through several actions:

• Understand and index risk profiles to identify critical assets, threats, and vulnerabilities and document a clear view of organisational exposures.
• Define acceptable organisational risk so leadership sets clear boundaries for acceptable risk and exposure.
• Prioritise risk mitigation strategies that focus resources where they will have the greatest impact.
• Prepare for worst case scenarios with tested contingency plans and recovery protocols.
• Test crisis management capabilities to stress test decision-making, communication, and crisis response.
• Integrate third party support into cyber security strategy to provide expertise on managing residual risks.
• Proactively monitor trends and adapt cyber defences to stay ahead of evolving threats, new technologies and changing business needs.

At the heart of underwriter insights

Sam Russell-Vick
Senior Cyber Underwriter, QBE

As Asian businesses increase their use of cloud infrastructure and AI tools in day-to-day operations, they are also reshaping their risk landscape. The threat vectors described in this report are already in action and align closely with trends and claims we’re seeing across different industries. For many risk managers, the requirement has become one of both risk mitigation and playing catch up to existing exposures, which have evolved at speed.

The supply chain threat continues to cause concern for companies in Asia and more broadly across the world. While outsourcing certain parts of your business can create efficiencies and cost savings, there are security considerations to bear in mind.

Each outsourced provider that connects into your company creates an additional layer of risk – not only in terms of potential malware transmission but also in terms of critical dependencies. A failure at one key point in the supply chain can quickly halt business operations altogether. It is therefore essential to map out exactly which suppliers connect into your business, to understand the impact should those services become unavailable.

Recent examples of cyber incidents have made the headlines in Asia, showing the vast impact they can have on operations and financials. With cloud platforms now mainstream, third-party exposure is no longer a fringe issue, but very much a mainstream challenge. Similarly, systemic third party failures can have wide-ranging impacts.

Cyber underwriters are acutely aware that local governments have urged businesses to “beef up buffers” against similar events, highlighting the regulatory expectation for businesses to take responsibility for future resilience.

The regulatory environment for cyber in Asia is tightening. Cyber Security Acts in Singapore and Malaysia, as well as Hong Kong’s Protection of Critical Infrastructure Bill, will broaden the remit of regulation to include managed service providers, data centres and supply-chain actors, highlighting the importance of oversight and accountability. This shift means that Asian businesses will require strong due diligence processes when engaging with third-party suppliers, alongside clearer contractual terms regarding risk, incident reporting and remediation.

For cyber underwriters, the rapid expansion of digital attack surfaces and shifts in government regulation demands rigorous scrutiny of our customers’ resilience. Focusing on perimeter defences no longer offers sufficient protection – instead we’re looking to see that businesses are also adopting to a ‘resilience by design’ approach.

In simple terms, businesses that can demonstrate structured risk governance, robust stress testing and resilient architecture will be better prepared to face a cyber event – which would be viewed positively by underwriters when assessing each risk. In our current cyber climate, this can make the difference between facing exclusions, higher retentions or tougher premiums – or insurers placing your cover quickly and smoothly.