Views
Jul 9, 2026
6
Minutes read

Malaysia’s Digital Resilience in Times of Crisis

Authors
Jun-E Tan
Bor Neng Quan
Bor Neng Quan
Key Takeaways
Data Sets Overview
  • This article is part of an ongoing series of reactions to the US-Israel war on Iran and its implications to Malaysia, by KRI researchers.
  • In the article, we highlight that Malaysia’s critical sectors are increasingly digitalised and dependent on global digital infrastructure, vulnerable to shocks and crises beyond our borders.
  • We offer the financial sector as a case of proactive risk management, and argue that Malaysia is well-positioned to build digital resilience as it already has the necessary regulatory structures to act.
malaysias-digital-resilience-in-times-of-crisis
Views
Individual reflections and analyses on timely topics, offering context and thoughtful viewpoints that help readers better understand emerging trends and policy debates.
Disclaimer
As we transition to a digital-first communication and continue building our knowledge hub, publications released before October 2025 are preserved in their original format. Publications released from October 2025 onward adopt a new, digitally friendly format for easier online reading. The official versions of earlier publications, including their original language and formatting, remain available in the downloadable PDF.

Introduction

As we move into the second half of the year, the world remains entrenched in the crisis brought about by the United States-Israel/Iran conflict1. Strikes and counter-strikes in the region have taken thousands of lives and damaged civilian infrastructure. The closure of the Strait of Hormuz, a key shipping route, has also had devastating consequences on global supplies and economic stability.  

As the conflict rages on, most of the attention locally in Malaysia has focused on the resulting food and fuel crisis. While that is important, we believe it is equally crucial to highlight a less-discussed issue - Malaysia’s digital resilience in times of crisis. The war in Iran has the potential to trigger systemic failure in critical services in Malaysia when global digital infrastructure is attacked physically or virtually, or suffer incidentally as collateral damage.

This is not a hypothetical consideration. On 1 March, Iran’s Islamic Revolutionary Guard Corps (IRGC) bombed two Amazon data centres in the United Arab Emirates. Three days later, another Amazon data centre in Bahrain was reportedly damaged by the IRGC2. However, Iran was not the only actor targeting data centres - on 11 March, a data centre in Tehran operated by Iran’s state-owned Bank Sepah was struck by a missile, reportedly by either US or Israeli forces3. Firms in Southeast Asia that used those data centres were affected by the disruptions, despite their physical distance from the conflict4.

This article is part of an ongoing series of reactions to the US-Israel war on Iran and its implications to Malaysia, by KRI researchers. In the article, we highlight that Malaysia’s critical sectors are increasingly digitalised and dependent on global digital infrastructure, vulnerable to shocks and crises beyond our borders. We offer the financial sector as a case of proactive risk management, and argue that Malaysia is well-positioned to build digital resilience as it already has the necessary regulatory structures to act.    

Digital transformation of critical sectors in Malaysia

Malaysia has undergone rapid digitalisation. As indicated by the ICT Household Survey 2025 by the Department of Statistics, internet penetration rate across the population is at 98.3% and mobile phone penetration is 99.6%5.

As digital technologies promise greater productivity and efficiency, digital adoption is not only happening at the user level, but also across organisations and entire sectors. Some of these sectors have been demarcated as National Critical Information Infrastructure (NCII) by the National Cyber Security Agency (NACSA), as they provide critical services to the public and the nation. NCII sectors include government services, defence and national security, banking and finance, transportation, energy, and healthcare, among others.

Recognising the benefits of digitalisation, these sectors are rapidly moving forward. For instance, the Ministry of Health aims to digitalise health records of every citizen and equip all public hospitals with hospital information systems by 20296. To give another example, in the transportation sector, seaports (which facilitate more than 90% of Malaysia’s exports7) are also increasingly reliant on digital solutions for real-time tracking, optimised logistics and automated terminal operations.

While we aim for digital transformation and enhancement of important services like healthcare and transportation, the increasing reliance on digital infrastructure also intensifies the consequences when digital systems fail. The risk is further exacerbated when some of this infrastructure is located and managed outside Malaysia’s jurisdiction.

Malaysia’s reliance on global digital infrastructure

Malaysia’s NCII sectors lean substantially on global digital infrastructure, given the widespread use of software and services produced by overseas vendors as well as a cloud-first approach8 for government services.  

To start, Malaysia relies on international subsea cables9 to connect the nation’s systems to the global internet. This is largely unavoidable, as subsea cables carry about 99% of total international internet traffic10. Specific to the Iran war, five out of twenty-nine11 subsea cables that Malaysia depends on pass through the Red Sea and Strait of Hormuz corridors12. Given that Iranian state actors have framed the undersea cables in the Persian Gulf as strategic pressure points, it is a known point of vulnerability13.

Past incidents have shown that damage to subsea cables can result in internet disruptions in Malaysia due to increased latency and longer rerouting time, albeit not to the extent of a full national internet outage14. Local services should therefore prepare themselves for eventualities.

While Malaysia scores higher than the global average on internet resilience (71/100 on the Internet Resilience Index by Internet Society Pulse15), we score notably low on traffic localisation (44/100). What this means is much of the internet traffic generated locally has to travel beyond the country’s borders and back. This is akin to sending a postcard to a friend living in the same city, but the postcard is routed through transit points overseas before it reaches the friend. In other words, there is significant reliance on external infrastructure like foreign transit providers and international data centres.

Another known risk is cyberattacks, which are common and are likely to be increasingly employed during times of war. Past major conflicts, such as the Russia–Ukraine war and the Hamas–Israel conflict, have been observed to trigger a surge in hacktivism. Contrary to traditional warfare, which is tremendously costly, cyber warfare has presented itself as a useful means of carrying out geopolitical attacks at a significantly lower cost. With AI, the barrier to entry for cybercriminals and hacktivists is even lower16.

All these potential threats point to the importance of planning for contingencies when digital services fail, especially in the case of critical sectors. The next section takes a deep dive into Malaysia’s financial sector, a highly digitalised sector with strong regulations, to explore how it prepares for digital resilience.

A sectoral view on digital resilience: Malaysia’s financial sector

Malaysia’s financial sector is digitally mature, with expansive consumer demand for services such as e-payments and digital banking. In 2025, each Malaysian made, on average, 25% more e-payments (538 transactions) compared to 2024, alongside larger e-money transaction sizes. In the same year, 25 million active mobile banking users were recorded, representing an increase of 8.7% from the previous year17.

Thus, the Malaysian financial sector depends on tightly interconnected digital systems - “payment networks, clearing and settlement infrastructures, shared telecommunication services, cloud ecosystems, financial technology and API-driven platforms”18. These operations are supported by various parties, including fintech partners, data centres, telecommunication networks providers, IT service providers and cloud service providers, to name a few.

Recognising the importance of the financial sector on people’s livelihoods and its dependence on digital technologies, Bank Negara Malaysia (BNM) has put considerable emphasis on operational resilience with a focus on technology-related risk management. Two key policy documents are Business Continuity Management (BCM)19 and Risk Management in Technology (RMiT)20. These documents outline both mandatory and guiding requirements for financial institutions to ensure business continuity and risk management, some with penalties if the institutions fail to comply.

A reading of the BCM and RMiT, combined with a discussion paper on Operational Resilience published by BNM21, yields the following points on BNM’s thinking about digital resilience. These are potentially useful for other NCII sectors’ consideration:

Firstly, disruptions are treated as probable incidents with systemic consequences and ripple effects on all within the financial ecosystem when they happen. Therefore, planning for potential scenarios, ranging from war and natural disasters to terrorism and pandemics, is seen as essential. Specific to digital disruptions, the RMiT mandates financial institutions to establish a Cyber Resilience Framework (CRF) to ensure their preparedness.

Secondly, critical functions are identified and prioritised to remain available during disruptions. BCM identifies a list of essential services that must be prioritised to ensure their continued availability, including automated teller machines (ATMs) and online services such as electronic banking, mobile banking, and payment card services. To achieve this, financial institutions are required to establish contingency arrangements and recovery strategies. In the case of disruptions, the RMiT highlights the need for resilient backup mechanisms and an isolated recovery environment to enable the swift restoration of essential banking and payment services.

Thirdly, financial institutions must understand both their own systems and the external systems they depend on. According to the BCM framework, both internal and external interdependencies that are necessary for the operation of critical business functions must be identified, assessed, and taken into account when developing plans for business continuity. For outsourced arrangements, vendors are also required to have effective business continuity plans in place. On digital systems in use, the RMiT requires financial institutions to identify and phase out known security vulnerabilities, such as outdated platforms and end-of-life technology systems.

Fourthly, and relatedly, single points of failure must be avoided, as overdependence on a single provider, system, network route or technology creates systemic vulnerability. Therefore, the RMiT requires financial institutions to identify and rectify single points of failure through an assessment of technology infrastructure, system interconnectivity and dependencies, as well as security controls.

To illustrate, the policy states that if a financial institution uses cloud environments, the cloud services should run on different virtual hosts rather than the same host. In addition, data centres must possess redundant capacity components and multiple distribution paths to power the institution’s computer equipment. Technology diversification is also required to ensure that the infrastructure supporting critical systems is not excessively exposed to similar technological risks.

Fifthly, resilience plans must be regularly tested through drills, simulations and stress tests to ensure their continued effectiveness at an optimal level. Both BCM and RMiT stress the need for these components to be subjected to rigorous testing programmes to assess their actual functionality and readiness, rather than merely appearing effective on paper.

Lastly, the policies have been enforced, ensuring that financial institutions fulfil their duty to manage risks. For instance, when Maybank and CIMB Bank failed to comply with BNM’s regulations on service availability and operational resilience (including failures to restore e-banking channels and mobile banking applications within a certain time period), both institutions were fined a combined amount of more than RM5 million22.

The Malaysian financial sector is highly digitalised, interconnected and regulated; attributes that shape its proactive stance to digital resilience. While other NCII sectors have their own characteristics and stage of digital adoption, they may find the above considerations helpful when guiding their own sectors’ practices, to appropriate levels of stringency and standardisation.

Reducing external dependency and increasing sectoral resilience

The discussion thus far points to a two-pronged approach that Malaysia can adopt concurrently to strengthen its digital resilience.

The first is to work on reducing the country’s dependency on global infrastructure to the extent it is possible. For example, in the case of traffic localisation, Malaysia can increase local peering23 among its networks through internet exchange points (IXPs) so that local internet traffic does not have to route through transit providers overseas. Currently, Malaysia’s peering efficiency score is 3024, indicating that only 30% of active networks within Malaysia are participating in local peering25. There is therefore room for improvement.

The second is to ensure that critical sectors actively prepare for digital disruptions, as illustrated by the case of the financial sector. The Cyber Security Act (2024) provides a regulatory foundation, as it stipulates sector leads for the eleven NCII sectors, which can set sector-specific codes of practice to guide or mandate NCII entities to withstand, respond to, and recover from cyber incidents. This allows for efficient dissemination of directives and requirements, provided that sectoral leads take proactive action.

There are indications that some other NCII sectors are strengthening their practices on digital resilience. Apart from the financial sector, another example of a critical sector that has taken some action is the energy sector. Under the Energy Commission’s Grid Code for Peninsular Malaysia – Main Code26 that came into effect in January 2026, there is a section on managing cybersecurity risk in the energy industry to ensure the continuity and security of electricity supply.

Conclusion

As more of our critical services rely on a digital layer to function, Malaysia needs to prioritise resilience and backup plans for when, not if, systems fail. The inevitability of disruptions is rooted in the chaotic present that we live in – the geopolitical instability of West Asia and its downstream impacts is only one of the multiple crises that the world faces. Among other grave challenges are extreme weather events due to climate change, as well as widespread access to powerful AI models that can exploit cybersecurity vulnerabilities.  

Malaysia has the prerequisite conditions to build this preparedness, with regulatory structures and groundwork already in place, such as agencies like the Malaysian Communications and Multimedia Commission (MCMC) to work on strengthening local digital infrastructure as well as the Cyber Security Act to compel NCII sectors to coordinate. The case of the financial sector shows that some sectors have already moved ahead on digital resilience, and we hope that the lessons learnt from their experience can provide some direction for other sectors that are still shaping their way.

Read Full Publication

Article highlight

featured report

Conclusion

Download Resources
Files
Datasets
Attributes
Footnotes
  1. At the time of writing, the United States and Iran are engaged in a two-month negotiation period following the preliminary deal announced on 17 June 2026. While this development is encouraging, months of unsuccessful efforts have demonstrated the fragility of the process. As long as a final deal has yet to be inked, uncertainty is likely to persist.
  2. Desmarais (2026)
  3. Murphy (2026)
  4. Iman Muttaqin Yusof (2026)
  5. Department of Statistics Malaysia (2026)
  6. Azmi (2025)
  7. Ministry of Digital (2024)
  8. For further details, see the National Cloud Computing Policy (NCCP).
  9. Also known as submarine cables
  10. International Telecommunication Union (2026)
  11. MIDA (2024)
  12. TeleGeography, n.d.
  13. Iran International (2026)
  14. New Straits Times (2020)
  15. Compared to the global average of 53/100
  16. S&P Global (2026)
  17. Bank Negara Malaysia (2026)
  18. Bank Negara Malaysia (2025b)
  19. Issued on 19 December 2022, the BCM is a policy designed to ensure that financial institutions remain operational, i.e. maintaining the continued availability of essential services, when business functions are affected by disruptions resulting from either internal or external risk events.  Bank Negara Malaysia (2022)
  20. The revised RMiT, which came into force on 28 November 2025, aims to improve the management of technology risks in financial institutions, with a stronger emphasis on cybersecurity controls compared to its second version issued in 2023. The first version was released in July 2019, and came into effect on 1 January 2020. Bank Negara Malaysia (2025a)
  21. Bank Negara Malaysia (2025b)
  22. BERNAMA (2024)
  23. According to the Internet Society, peering “is when two or more Internet networks agree to interconnect and exchange traffic (communications and data sent between their customer’s devices) directly without charging each other any fees.” (See https://www.internetsociety.org/blog/2025/03/all-about-peering/)  
  24. Internet Society Pulse (2025)
  25. The peering efficiency score of a country is calculated by taking the number of local networks peering at IXPs in that country and dividing it by the number of local and active (seen on the global routing table) networks in that country.
  26. Energy Commission (2025)
References

Azmi, Amalia. 2025. “All Public Hospitals and Clinics to Have Electronic Medical Records by 2029.” NST Online, November 15, 2025. https://www.nst.com.my/news/nation/2025/11/1315756/all-public-hospitals-and-clinics-have-electronic-medical-records-2029.

Bank Negara Malaysia. 2022. “Business Continuity Management - Policy Document.” https://www.bnm.gov.my/documents/20124/938039/PD-BCM.pdf.

———. 2025a. “Risk Management in Technology (RMiT) Policy Document.” https://www.bnm.gov.my/documents/20124/938039/pd-rmit-nov25.pdf.

———. 2025b. “Operational Resilience - Discussion Paper.” https://www.bnm.gov.my/documents/20124/938039/dp_operationalresilience_Dec2025.pdf.

———. 2026. “AR2025: Promoting Safe & Efficient Payment & Remittance Services - Bank Negara Malaysia.” 2026. https://bnm.gov.my/publications/ar2025/ch1e.

BERNAMA. 2024. “BNM Fines Maybank RM4.32 Mln, CIMB RM760,000 For Prolonged Service Disruptions,” August 14, 2024, sec. news. https://bernama.com/en/news.php?id=2329067.

Department of Statistics Malaysia. 2026. “ICT Use and Access by Individuals and Households Survey Report, 2025.” April 23, 2026. https://www.dosm.gov.my/portal-main/release-content/ict-use-and-access-by-individuals-and-households-survey-report-2025.

Desmarais, Anna. 2026. “Middle East Data Centres Are Becoming Targets during Iran War.” Euronews, March 12, 2026, sec. next_tech-news. https://www.euronews.com/next/2026/03/12/data-centres-are-the-new-target-in-modern-warfare-during-iran-war-experts-say.

Energy Commission. 2025. “Grid Code for Peninsular Malaysia – Main Code.” https://www.st.gov.my/sites/default/files/2026-03/01-MainCode_0.pdf.

Iman Muttaqin Yusof. 2026. “Southeast Asia Faces Spillover Cyber Risk from Iran War as ‘Blast Radius’ Widens.” South China Morning Post, March 12, 2026, sec. This Week in Asia. https://www.scmp.com/week-asia/economics/article/3346342/southeast-asia-faces-spillover-cyber-risk-iran-war-blast-radius-widens.

International Telecommunication Union. 2026. “Submarine Cable Resilence.” ITU. April 2026. https://www.itu.int:443/en/mediacentre/backgrounders/Pages/submarine-cable-resilience.aspx.

Internet Society Pulse. 2025. “Internet Resilience Index for Malaysia | ISOC Pulse.” September 25, 2025. https://pulse.internetsociety.org/en/resilience/my/.

Iran International. 2026. “IRGC-Linked Media Hints at Threat to Persian Gulf Undersea Internet Cables,” April 22, 2026. https://www.iranintl.com/en/202604225913.

MIDA. 2024. “Digital Inclusion: Bridging the Connectivity Divide in Malaysia.” August 29, 2024. https://www.mida.gov.my/digital-inclusion-bridging-the-connectivity-divide-in-malaysia/.

Ministry of Digital. 2024. “Connected Seaports: The Transformation Journey Towards Digital Seaport 4.0.” 2024. https://www.digital.gov.my/en-GB/siaran/connected-seaports.

Murphy, Dennis. 2026. “Why Iran Targeted Amazon Data Centers and What That Does – and Doesn’t – Change about Warfare.” The Conversation. April 1, 2026. https://doi.org/10.64628/AAI.hreuwguqq.

New Straits Times. 2020. “Malaysians Experiencing Internet Disruption Due to Submarine Cable Damage.” NST Online, April 11, 2020. https://www.nst.com.my/news/nation/2020/04/583297/malaysians-experiencing-internet-disruption-due-submarine-cable-damage.

S&P Global. 2026. “What Is Cyber Warfare in Geopolitics?” 2026. https://www.spglobal.com/en/research-insights/market-insights/geopolitical-risk/cyber-warfare.

TeleGeography. n.d. “Submarine Cable Map.” https://594292.hs-sites.com/hs-web-interactive-594292-180200503225.

Photography Credit

Featured

KRI shares insightful commentaries on current topics to encourage discussion, but these do not represent KRI's official views.
No news & event found in this category
You can browse other sections or return to the homepage.

Related to this Publication

No results found for this selection
You can  try another search to see more

Want more stories like these in your inbox?

Stay ahead with KRI, sign up for research updates, events, and more

Thanks for subscribing. Your first KRI newsletter will arrive soon—filled with fresh insights and research you can trust.

Oops! Something went wrong while submitting the form.
Follow Us On Our Socials