
Introduction
As we move into the second half of the year, the world remains entrenched in the crisis brought about by the United States-Israel/Iran conflict1. Strikes and counter-strikes in the region have taken thousands of lives and damaged civilian infrastructure. The closure of the Strait of Hormuz, a key shipping route, has also had devastating consequences on global supplies and economic stability.
As the conflict rages on, most of the attention locally in Malaysia has focused on the resulting food and fuel crisis. While that is important, we believe it is equally crucial to highlight a less-discussed issue - Malaysia’s digital resilience in times of crisis. The war in Iran has the potential to trigger systemic failure in critical services in Malaysia when global digital infrastructure is attacked physically or virtually, or suffer incidentally as collateral damage.
This is not a hypothetical consideration. On 1 March, Iran’s Islamic Revolutionary Guard Corps (IRGC) bombed two Amazon data centres in the United Arab Emirates. Three days later, another Amazon data centre in Bahrain was reportedly damaged by the IRGC2. However, Iran was not the only actor targeting data centres - on 11 March, a data centre in Tehran operated by Iran’s state-owned Bank Sepah was struck by a missile, reportedly by either US or Israeli forces3. Firms in Southeast Asia that used those data centres were affected by the disruptions, despite their physical distance from the conflict4.
This article is part of an ongoing series of reactions to the US-Israel war on Iran and its implications to Malaysia, by KRI researchers. In the article, we highlight that Malaysia’s critical sectors are increasingly digitalised and dependent on global digital infrastructure, vulnerable to shocks and crises beyond our borders. We offer the financial sector as a case of proactive risk management, and argue that Malaysia is well-positioned to build digital resilience as it already has the necessary regulatory structures to act.
Digital transformation of critical sectors in Malaysia
Malaysia has undergone rapid digitalisation. As indicated by the ICT Household Survey 2025 by the Department of Statistics, internet penetration rate across the population is at 98.3% and mobile phone penetration is 99.6%5.
As digital technologies promise greater productivity and efficiency, digital adoption is not only happening at the user level, but also across organisations and entire sectors. Some of these sectors have been demarcated as National Critical Information Infrastructure (NCII) by the National Cyber Security Agency (NACSA), as they provide critical services to the public and the nation. NCII sectors include government services, defence and national security, banking and finance, transportation, energy, and healthcare, among others.
Recognising the benefits of digitalisation, these sectors are rapidly moving forward. For instance, the Ministry of Health aims to digitalise health records of every citizen and equip all public hospitals with hospital information systems by 20296. To give another example, in the transportation sector, seaports (which facilitate more than 90% of Malaysia’s exports7) are also increasingly reliant on digital solutions for real-time tracking, optimised logistics and automated terminal operations.
While we aim for digital transformation and enhancement of important services like healthcare and transportation, the increasing reliance on digital infrastructure also intensifies the consequences when digital systems fail. The risk is further exacerbated when some of this infrastructure is located and managed outside Malaysia’s jurisdiction.
Malaysia’s reliance on global digital infrastructure
Malaysia’s NCII sectors lean substantially on global digital infrastructure, given the widespread use of software and services produced by overseas vendors as well as a cloud-first approach8 for government services.
To start, Malaysia relies on international subsea cables9 to connect the nation’s systems to the global internet. This is largely unavoidable, as subsea cables carry about 99% of total international internet traffic10. Specific to the Iran war, five out of twenty-nine11 subsea cables that Malaysia depends on pass through the Red Sea and Strait of Hormuz corridors12. Given that Iranian state actors have framed the undersea cables in the Persian Gulf as strategic pressure points, it is a known point of vulnerability13.
Past incidents have shown that damage to subsea cables can result in internet disruptions in Malaysia due to increased latency and longer rerouting time, albeit not to the extent of a full national internet outage14. Local services should therefore prepare themselves for eventualities.
While Malaysia scores higher than the global average on internet resilience (71/100 on the Internet Resilience Index by Internet Society Pulse15), we score notably low on traffic localisation (44/100). What this means is much of the internet traffic generated locally has to travel beyond the country’s borders and back. This is akin to sending a postcard to a friend living in the same city, but the postcard is routed through transit points overseas before it reaches the friend. In other words, there is significant reliance on external infrastructure like foreign transit providers and international data centres.
Another known risk is cyberattacks, which are common and are likely to be increasingly employed during times of war. Past major conflicts, such as the Russia–Ukraine war and the Hamas–Israel conflict, have been observed to trigger a surge in hacktivism. Contrary to traditional warfare, which is tremendously costly, cyber warfare has presented itself as a useful means of carrying out geopolitical attacks at a significantly lower cost. With AI, the barrier to entry for cybercriminals and hacktivists is even lower16.
All these potential threats point to the importance of planning for contingencies when digital services fail, especially in the case of critical sectors. The next section takes a deep dive into Malaysia’s financial sector, a highly digitalised sector with strong regulations, to explore how it prepares for digital resilience.
A sectoral view on digital resilience: Malaysia’s financial sector
Malaysia’s financial sector is digitally mature, with expansive consumer demand for services such as e-payments and digital banking. In 2025, each Malaysian made, on average, 25% more e-payments (538 transactions) compared to 2024, alongside larger e-money transaction sizes. In the same year, 25 million active mobile banking users were recorded, representing an increase of 8.7% from the previous year17.
Thus, the Malaysian financial sector depends on tightly interconnected digital systems - “payment networks, clearing and settlement infrastructures, shared telecommunication services, cloud ecosystems, financial technology and API-driven platforms”18. These operations are supported by various parties, including fintech partners, data centres, telecommunication networks providers, IT service providers and cloud service providers, to name a few.
Recognising the importance of the financial sector on people’s livelihoods and its dependence on digital technologies, Bank Negara Malaysia (BNM) has put considerable emphasis on operational resilience with a focus on technology-related risk management. Two key policy documents are Business Continuity Management (BCM)19 and Risk Management in Technology (RMiT)20. These documents outline both mandatory and guiding requirements for financial institutions to ensure business continuity and risk management, some with penalties if the institutions fail to comply.
A reading of the BCM and RMiT, combined with a discussion paper on Operational Resilience published by BNM21, yields the following points on BNM’s thinking about digital resilience. These are potentially useful for other NCII sectors’ consideration:
Firstly, disruptions are treated as probable incidents with systemic consequences and ripple effects on all within the financial ecosystem when they happen. Therefore, planning for potential scenarios, ranging from war and natural disasters to terrorism and pandemics, is seen as essential. Specific to digital disruptions, the RMiT mandates financial institutions to establish a Cyber Resilience Framework (CRF) to ensure their preparedness.
Secondly, critical functions are identified and prioritised to remain available during disruptions. BCM identifies a list of essential services that must be prioritised to ensure their continued availability, including automated teller machines (ATMs) and online services such as electronic banking, mobile banking, and payment card services. To achieve this, financial institutions are required to establish contingency arrangements and recovery strategies. In the case of disruptions, the RMiT highlights the need for resilient backup mechanisms and an isolated recovery environment to enable the swift restoration of essential banking and payment services.
Thirdly, financial institutions must understand both their own systems and the external systems they depend on. According to the BCM framework, both internal and external interdependencies that are necessary for the operation of critical business functions must be identified, assessed, and taken into account when developing plans for business continuity. For outsourced arrangements, vendors are also required to have effective business continuity plans in place. On digital systems in use, the RMiT requires financial institutions to identify and phase out known security vulnerabilities, such as outdated platforms and end-of-life technology systems.
Fourthly, and relatedly, single points of failure must be avoided, as overdependence on a single provider, system, network route or technology creates systemic vulnerability. Therefore, the RMiT requires financial institutions to identify and rectify single points of failure through an assessment of technology infrastructure, system interconnectivity and dependencies, as well as security controls.
To illustrate, the policy states that if a financial institution uses cloud environments, the cloud services should run on different virtual hosts rather than the same host. In addition, data centres must possess redundant capacity components and multiple distribution paths to power the institution’s computer equipment. Technology diversification is also required to ensure that the infrastructure supporting critical systems is not excessively exposed to similar technological risks.
Fifthly, resilience plans must be regularly tested through drills, simulations and stress tests to ensure their continued effectiveness at an optimal level. Both BCM and RMiT stress the need for these components to be subjected to rigorous testing programmes to assess their actual functionality and readiness, rather than merely appearing effective on paper.
Lastly, the policies have been enforced, ensuring that financial institutions fulfil their duty to manage risks. For instance, when Maybank and CIMB Bank failed to comply with BNM’s regulations on service availability and operational resilience (including failures to restore e-banking channels and mobile banking applications within a certain time period), both institutions were fined a combined amount of more than RM5 million22.
The Malaysian financial sector is highly digitalised, interconnected and regulated; attributes that shape its proactive stance to digital resilience. While other NCII sectors have their own characteristics and stage of digital adoption, they may find the above considerations helpful when guiding their own sectors’ practices, to appropriate levels of stringency and standardisation.
Reducing external dependency and increasing sectoral resilience
The discussion thus far points to a two-pronged approach that Malaysia can adopt concurrently to strengthen its digital resilience.
The first is to work on reducing the country’s dependency on global infrastructure to the extent it is possible. For example, in the case of traffic localisation, Malaysia can increase local peering23 among its networks through internet exchange points (IXPs) so that local internet traffic does not have to route through transit providers overseas. Currently, Malaysia’s peering efficiency score is 3024, indicating that only 30% of active networks within Malaysia are participating in local peering25. There is therefore room for improvement.
The second is to ensure that critical sectors actively prepare for digital disruptions, as illustrated by the case of the financial sector. The Cyber Security Act (2024) provides a regulatory foundation, as it stipulates sector leads for the eleven NCII sectors, which can set sector-specific codes of practice to guide or mandate NCII entities to withstand, respond to, and recover from cyber incidents. This allows for efficient dissemination of directives and requirements, provided that sectoral leads take proactive action.
There are indications that some other NCII sectors are strengthening their practices on digital resilience. Apart from the financial sector, another example of a critical sector that has taken some action is the energy sector. Under the Energy Commission’s Grid Code for Peninsular Malaysia – Main Code26 that came into effect in January 2026, there is a section on managing cybersecurity risk in the energy industry to ensure the continuity and security of electricity supply.
Conclusion
As more of our critical services rely on a digital layer to function, Malaysia needs to prioritise resilience and backup plans for when, not if, systems fail. The inevitability of disruptions is rooted in the chaotic present that we live in – the geopolitical instability of West Asia and its downstream impacts is only one of the multiple crises that the world faces. Among other grave challenges are extreme weather events due to climate change, as well as widespread access to powerful AI models that can exploit cybersecurity vulnerabilities.
Malaysia has the prerequisite conditions to build this preparedness, with regulatory structures and groundwork already in place, such as agencies like the Malaysian Communications and Multimedia Commission (MCMC) to work on strengthening local digital infrastructure as well as the Cyber Security Act to compel NCII sectors to coordinate. The case of the financial sector shows that some sectors have already moved ahead on digital resilience, and we hope that the lessons learnt from their experience can provide some direction for other sectors that are still shaping their way.










