Why security is a growth decision in digital assets

Ransomware and cyberattacks on financial infrastructure are not new. What has changed is where the threats are coming from, and how sophisticated they have become.

What was once a fragmented collection of opportunistic hackers has become a multi-layered, professionalised threat environment. State-sponsored actors like North Korea's Lazarus Group now account for three-quarters of all attacks on crypto platforms found in Fireblocks' Securing Digital Assets in an Evolving Threat Landscape, with DPRK-linked operations running at nearly five times the scale of other threat groups. Organised cybercrime has matured into a service industry: sophisticated wallet-draining tools are now packaged and licensed to non-technical actors on a revenue-share basis, lowering the barrier to executing a serious attack. And beyond both, there is a substantial and growing threat from individual actors, loosely-coordinated groups, and malicious insiders with legitimate access.

That is the threat environment APAC institutions are building their digital asset operations in right now. And they are building fast. 

According to Fireblocks' The Financial Grid research, 62% of APAC institutions have already committed budget for digital asset infrastructure. That is the highest rate globally and more than double North America's 27%. Of those committed institutions, 79% are spending above $1 million.

No other region is at this stage. But commitment and execution are not the same thing. Most of that budget, and those pilots, have not yet translated into live production infrastructure. That gap between pilot and production is where the infrastructure decision gets made, and where getting it wrong is most costly.

The risk is different here

Security in digital assets is not like traditional IT security. When a breach occurs in a conventional environment, the response is containment and remediation: systems are restored, data is recovered, regulators are notified. The damage is serious, but recoverable.

In digital assets, when a malicious transaction reaches finality on the blockchain, there is rarely a way to recover funds. The loss is direct and permanent. That changes the nature of the risk entirely. It moves from a technology problem to a business continuity problem, and from an IT decision to a board-level one.

The technical requirement that nobody is talking about is what this means for approval architecture. Informal approval paths, scattered tooling, and implicit permissions may function adequately day-to-day, but they are not built for the transaction volumes, regulatory scrutiny, or threat sophistication of production-scale operations. Companies that have not made this distinction are the ones most exposed as they move from pilot to production.

The infrastructure decision is the growth decision

There is a clear common denominator across the institutions that are scaling digital asset operations successfully. Rather than treat security as a line item addressed retrospectively and after the core product was built, they made it a foundational architectural decision, with that decision compounding in their favour.

Governance, compliance, and reconciliation are the most critical capabilities as institutions scale, and the ones that are hardest to retrofit. The institutions that built on enterprise-grade infrastructure from the start find these scale with them. Those that didn't are running into obstacles on exactly those capabilities, at exactly the moment market demand is accelerating.

Security architecture and growth architecture are the same decision. They just get made at different points in time.

The next frontier: corporate treasury

The first wave of institutional digital asset adoption was led by crypto-native firms. The next will be driven by corporate treasurers and transaction banking teams. According to Citi's Tokenization 2030 report, forecasts point to $5.5 trillion in tokenised assets by 2030, with digital money likely to outpace even those projections given the pace at which stablecoins are already being adopted.

For that wave to materialise, infrastructure has to plug into the core banking and treasury systems institutions already use. A stablecoin payments capability that operates as a parallel system - disconnected from existing treasury workflows, reconciliation processes, and compliance frameworks - will not deliver the velocity and capital efficiency institutions are looking for. Interoperability is not a nice-to-have. It is what determines whether the capability is actually usable.

The open question for most institutions isn't whether to move forward. It's how to get from "we have a pilot" to "this is live, integrated, and auditable." That is where the real infrastructure work happens, and it takes longer than most teams expect.

The question is not just whether you are protected

For finance and technology leaders in APAC, the more important question is not whether systems are protected. It is whether the infrastructure decisions made now will hold up as operations scale, as regulatory scrutiny increases, and as threat actors continue to target institutions at the precise moment of peak exposure.

The institutions moving fastest on digital assets resolved the security and infrastructure question early. Those still treating it as a procurement decision are making a strategic one, whether they realise it or not. Because whoever controls the infrastructure layer controls the client relationship, the settlement mandate, and the data. Whether they realise it or not.