Loading Results

AI, quantum and trust:

A new shape of cyber risk in Malaysia

  • Insight
  • 20 minute read
  • May 15, 2026

Alex Cheng

Director, Cyber Threat Operations, PwC Malaysia

Cindy Lee

Senior Associate, Cyber Threat Operations, PwC Malaysia​

Malaysian organisations stand at a critical inflection point as artificial intelligence (AI) accelerates the sophistication of cyber threats and attacks become identity driven. What does resilience mean in this threat landscape?​

The way organisations are being compromised is changing, and the shift is quieter than most expect. Attackers are no longer breaking down doors; they are logging in, exploiting trusted identities, and moving through systems as though they belong there. ​

At the same time, the tools available to both the attack and the defence are evolving. As noted in PwC’s Annual Threat Dynamics 2026 report, AI is reshaping how attacks are launched and how they are detected. Blind spots across edge devices, supply chains, and cloud ecosystems are being tested, not through brute force, but by turning trusted dependencies into pathways. ​

For Malaysia, this is not a distant concern. The country's rising international profile—from its Tier 1 ranking in the ITU Global Cybersecurity Index and regional leadership on ASEAN cybersecurity policy, to its proactive push on post-quantum cryptography (PQC)—brings greater visibility. And visibility brings attention. Escalating geopolitical tensions have prompted 67% of Malaysian business leaders to increase cyber investment, while threats against National Critical Information Infrastructure (NCII) sectors continue to grow. ​

Three recent cases, spanning different geographies and industries, illustrate these patterns in practice and offer lessons directly relevant to organisations operating in Malaysia today. ​

67%

Malaysian business leaders to increase cyber investments in response to escalating geopolitical tensions​

Source: 2026 Global Digital Trust Insights (Malaysia highlights)​

Top cyber threats in Malaysia

From reported public cases to pre- and post-incident response activities that we have helped clients with, we observe that attackers mainly target key infrastructure and organisations with poor cyber hygiene.

Poor cyber hygiene practices that attackers target—all of which provide the initial foothold​

 

Unpatched servers

 

Hardcoded configurations prone to abuse​

 

No segmentation​

 

Lack of contextual identity verification

Mirroring global trends, recent attack patterns in Malaysia reveal that attackers are choosing to log in rather than breach in. Exploits focus on traditional, perimeter-protected trust boundaries such as external connections, third-party components, compromised identities, and other trusted network relationship, pointing to a rise in identity-based attacks.​

Ransomware remains one of the most significant manifestations of this trend, both globally and in Malaysia. PwC's Annual Threat Dynamics 2026 noted that in the last year alone,

7,635

leak-site victims were reported worldwide

135

ransomware groups detected

58%

y-o-y increase in incidents reflects the growing fragmentation of the ransomware ecosystem through Ransomware-as-a-Service

This is not theoretical for Malaysia. On 1 March 2026, a major Malaysian organisation fell victim to the ransomware group Qilin, which not only breached systems but also threatened to release sensitive data unless negotiations ensued.​

The threat extends beyond traditional ransomware. AI-powered scams leveraging deepfake and voice-cloning technology are escalating rapidly in Malaysia, with over 67,000 online crime cases and losses exceeding RM2.7 billion were recorded between January and November 2025 alone. ​

Voice cloning, facial re-enactment, and AI-generated identities have become standard tools in the scammer's kit, used to fabricate urgency and bypass verification systems that were never designed with synthetic media in mind. As organisations invest in securing their perimeters, adversaries are increasingly exploiting trust itself, whether through a cloned voice on a WhatsApp call or a fabricated video of a national leader endorsing a fraudulent scheme. ​

The elephant in the room—legacy and trust​

We often talk about progressive investments and adoption of best practices aligned with regulatory compliance. However, how often is implementation being done through the lens of doing it right up front, instead of “I just want to tick the box and move on”? ​

What compounds this challenge is architectural debt. Dependencies on legacy architecture, software, and third parties create single points of failure that adversaries can exploit, especially where implicit trust remains in play. ​

As organisations modernise their environments and adopt secure-by-design principles, many have accelerated their adoption of cloud and Software as a Service (SaaS) platforms, as well as cloud service providers' native AI services. Yet while organisations invest in securing their own environments, the ecosystems they depend on can be equally vulnerable. Third-party software, open-source libraries, cloud APIs, and managed services all form part of a complex digital supply chain. ​

Organisations routinely place implicit trust in these components, assuming that a widely adopted library is safe, that a vendor's security tools are uncompromised, or that a third-party API integration has been adequately secured. When that trust is misplaced, the consequences can cascade rapidly. ​

A regulatory perspective on the next frontier​

There has been a clear push towards visibility and observability across Malaysia's cyber landscape, especially as organisations prepare for thenext frontier: post-quantum cryptography (PQC) risks. National CyberSecurity Agency’s (NASCA) Chief Executive Order No. 9, together with mandatory codes of practice for NCIIs, requires all NCII entities to inventory their cryptographic assets and plan for post-quantum cryptography migration. As foundational steps, NCIIs are explicitly required to prepare both a Software Bill of Materials (SBOM) and a Cryptographic Bill of Materials (CBOM).  ​

This posture is echoed across regulated industries: Bank Negara Malaysia (BNM)'s updated Risk Management in Technology (RMiT) policy not only elevates authentication, device binding, and fraud prevention controls from guidance to mandatory standards, but also strengthens requirements around cryptographic key management andalgorithm governance to address IT asset and crypto asset risk. Non-compliance with these requirements may lead to supervisory and enforcement actions. For example, a fine of RM1 million was recently imposed by BNM to a local bank due to inadequate cybersecurity controls and weak incident response following a prior breach. The Malaysian Communications and Multimedia Commission’s (MCMC) telecommunications security standards reinforce similar expectations for the communications sector.

The regulatory stance is consistent across these frameworks: document what you have, track your dependencies, and plan for remediation before adversaries exploit what you have overlooked.

The threat landscape, regulatory trajectory, and technology shifts outlined above are not abstract. They carry direct implications for how Malaysian businesses must operate, invest, and build resilience going forward. Organisations can no longer treat cybersecurity as a perimeter problem or a compliance exercise. The convergence of identity-based attacks, AI-powered fraud, quantum threats, and deepening supply chain dependencies demands a fundamental shift in posture—from reactive to deliberate, and from implicit trust to continuous verification. Three priorities stand out. ​

Zero Trust as the practical defence​

The volatile nature of today's cyber landscape requires organisations to adopt and consistently implement Zero Trust principles, "never trust, always verify," not as a one-time fix, but as an ongoing journey focused on continuous authentication and authorisation to minimise implicit trust and strengthen overall security.

What this looks like in practice depends on where an organisation sits in its modernisation journey.​

  • The opportunity is to do it right from the outset. This means moving away from traditional security models that rely on a single point of authentication. Instead, organisations should embed continuous monitoring of user and device behaviour to detect anomalies indicating compromised accounts or insider threats.
  • For those operating in or moving to API-rich ecosystems, such as financial services and open banking, the security of third-party API integrations and the declaration of software and cryptographic components should be treated as a core part of third-party risk management, not an afterthought.
  • This approach must also extend to common blind spots such as third-party connections and open-source components, particularly as rising geopolitical tensions increase supply chain risk. Conflicts between major technology-producing nations can disrupt access to critical software and services or increase the likelihood that widely used tools become targets. 
  • Organisations investing in new architecture have the advantage of designing these controls in from the start rather than retrofitting them later. ​
  • Zero Trust is not out of reach. It does not require a wholesale replacement of existing platforms. At its core, it means knowing what you have, knowing who is accessing it, and verifying both continuously.
  • This can begin with foundational steps: documenting IT and cryptographic assets, enforcing least-privilege access, segmenting critical systems from the broader network, and improving visibility into user behaviour and third-party connections. ​
  • Even within legacy environments, organisations can meaningfully reduce implicit trust by layering in controls such as multi-factor authentication, network segmentation, and monitoring for anomalous activity.
  • The goal is not perfection on day one but a deliberate, progressive reduction of the attack surface with the resources available.​
Businesses should prepare for quantum-related cyber threats ​

The Zero Trust principle of continuous verification is built on several foundations, but one cuts across all of them: the integrity of cryptography. If the encryption underpinning authentication, secure communications, and data protection can be broken, the entire trust model collapses.

The quantum threat makes this a practical concern, not a theoretical one. "Harvest now, decrypt later" and "trust now, forge later" strategies mean that encrypted data, communications, and digital signatures secured today could be retroactively compromised or forged once quantum capabilities mature. For organisations managing long-lived sensitive information, the exposure window is not years away. It is open now. ​

Preparing for this shift centres on post-quantum cryptography such as encryption algorithms designed to withstand quantum attacks. But migration is not a simple swap. What it demands depends on where an organisation sits.

  • Different systems, platforms, and protocols carry different dependencies, and the migration timeline is rarely within a single organisation's control. Instead, they are shaped by vendor readiness, regulatory timelines, and interoperability demands. ​
  • In sectors such as financial services, telecommunications, and healthcare, coordination across supply chains, standards bodies, and sector regulators is essential. A unilateral approach to migration is not feasible. ​
  • Organisations that have begun documenting their cryptographic assets through CBOMs will be better positioned to identify where current algorithms need to be transitioned and to plan migration roadmaps accordingly. ​
  • NACSA's Chief Executive Order No. 9, coordinated by the Malaysian Cryptology Technology and Management Centre (PTPKM), has set in motion a National Post-Quantum Cryptography Migration Plan targeting 2030 under the MyKriptografi initiative. ​
  • However, the plan is intentionally non-prescriptive on individual entity timelines, placing the onus on each NCII entity and sector lead to define their own approach. 
  • The gap between intent and action is evident. PwC's Digital Trust Insights found that 12% of organisations are already actively implementing quantum-resistant measures and 47% have reached piloting and testing stages. However, 42% report no implementation activity or plans in place.
  • With 2030 as the national target, that is a significant portion of the ecosystem yet to begin. The inventory and planning work must begin now. ​
Know your supply chain beyond the first tier ​

Every external dependency an organisation relies on falls under the scope of third-party and supply chain risk. This includes cloud service providers, managed security service providers, SaaS vendors, open-source library maintainers, and any subcontractors within their ecosystem.​

In Malaysia, regulatory attention on this front is increasing. While frameworks remain sector-specific rather than consolidated under a single regime, the direction is consistent: regulated entities are expected to set baselines, monitor continuously, and take accountability for any dependencies.

However, the practical challenge lies in what happens beyond the first tier. Current regulations place the onus on the regulated entity to manage its supply chain, but do not directly regulate fourth-party or nth-party providers.

This creates a gap: if an nth-party is breached, who is obligated to report, and how quickly does that information reach the organisation or the regulator? Without proactive incident notification obligations flowing downstream through the supply chain, organisations risk being the last to know about a compromise that directly affects them. 

From a regulator's lens, the expectation is clear: accountability rests with the regulated entity, regardless of how many layers deep the dependency runs.

  • Baselines must be imposed, not assumed. Security standards, audit rights, and incident notification obligations must be contractually embedded not only with direct third parties but extended to their sub-contractors and downstream dependencies.​
  • Incident reporting must flow upward proactively. Organisations need contractual and operational mechanisms that require nth-party providers to notify breaches or material incidents within defined timeframes, enabling the organisation to meet its own regulatory reporting obligations.​
  • Validation cannot rely on attestation alone. Organisations need the ability to independently assess or continuously monitor the security posture of critical third parties and their dependencies, not just accept self-declared compliance. 
  • Concentration risk must be mapped. Where multiple functions depend on a single nth-party provider, such as a cloud hyperscaler or a shared managed services provider, the organisation must identify and plan for these single points of failure. ​

The regulatory direction across sectors points the same way: know your dependencies, set the baseline, and ensure you are not reliant on trust alone to learn when something goes wrong. ​

Case studies

Learn more about three cyber attacks and lessons they offer for Malaysian organisations

(PDF of 1.25MB)

The content and author information presented are accurate as of the time of publication.

Our services

The confidence to take risks in the digital age

Protect your organisation against disruptions and data losses

Look back at PwC’s 2024 AI Jobs Barometer

Follow us

Required fields are marked with an asterisk(*)

Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement.

Contact us

Clarence Chan

Clarence Chan

Partner, Digital Trust and Cybersecurity Leader, PwC Malaysia

Tel: +60 (3) 2173 0344

Email
Alex Cheng

Alex Cheng

Director, Cyber Threat Operations, PwC Malaysia

Tel: +60 (3) 2173 0647

Email
Tanvinder Singh

Tanvinder Singh

Director, Cyber and Forensics, PwC Malaysia

Tel: +60 (3) 2173 0293

Email
Hide

© 2018 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.