Device governance is not an IT problem. For SEA's financial sector, it is a boardroom one

With fintech being a targeted industry, no vulnerability can be left exposed. 

The cybercriminal group, referred to as GoldFactory, has, up to December 2025, targeted about 30 financial institutions in Indonesia, Thailand, and Vietnam, injecting malicious code into original banking apps. Their modus operandi, impersonating government officials, is a stark reminder that, in an increasingly cyber threat landscape, even one click can lead down the pathway of exploitation.

And with fintech being one of the most targeted industries in 2026, no vulnerability can be left exposed.

Regulators are raising the bar
The timing of this attack also coincides with an increasingly fast-paced environment in Southeast Asian financial markets.

Indonesia's Otoritas Jasa Keuangan has formalised cybersecurity resilience requirements that go beyond policy documentation. Now, financial service providers have to demonstrate security maturity in measurable terms. This includes evidence of an effective approach to governing the entry points through which employees, contractors, and partners interact with and gain access to critical financial systems.

This is also a reflection of similar frameworks that are in development at the Monetary Authority in Singapore, Bank Negara in Malaysia, and Bangko Sentral in the Philippines.

For those financial institutions that have, up until now, operated under a compliance-based model that has emphasised periodic auditing and policy attestations, this represents more than an evolution in regulatory requirement. It represents a fundamental shift in how security accountability is viewed at the board level.

What most organisations are underestimating
The truth is that a large percentage of financial institutions in this region still manage device populations as administrative inventory. Devices are acquired, allocated, and monitored. Whether those devices are running up-to-date software, are compliant with access policies, and/or are exhibiting unusual behavior is, in many cases, not a question that can be definitively answered in real-time.

Fintech, particularly those that are growing very quickly, are the ones who are affected by this the most. A growing fintech that is expanding quickly means that devices are being introduced into the environment much quicker than a governance strategy can be developed and implemented.

A financial institution that may have previously been able to manage a small device inventory through a spreadsheet or a loosely controlled device management system has, in most cases, never developed the necessary infrastructure to manage hundreds of devices across multiple markets. This is where campaigns like GoldFactory are most useful.

And in 2026, for many established financial institutions, it is the same problem. Digital channel growth, hybrid work environments, or third-party vendor access are all contributing factors that have increased the complexity of device populations that were never intended to manage such complexity.

The question of which device is accessing which system, and with what level of policy compliance, is a question that many financial institutions are unable to definitively answer.

A leadership problem, not an IT configuration problem
Leadership is a problem that requires a significant change in how device governance is viewed within an organisation. A device is not just a hardware asset that is part of a company's asset ledger. A device is a conduit for accessing banking systems, customer information, and payment systems. Every device that interacts with an institutional system is a risk that is ongoing and that is waiting to be actively managed, rather than passively monitored.

This has important implications for governance structure as well. Device security accountability must reside within the risk committee, not just within IT operations. The CISO's line management, as well as the cadence of security-related board meetings and the criteria by which third-party access is granted, must reflect that endpoints are a primary area of attack that financial regulators across this region are now analysing in great detail.

In such a scenario, organisations would be wise to assess how easily they can create audit-ready evidence of device compliance on demand. If they find that they must assemble much information manually, they will have to rethink their approach. In that regard, there are primarily four areas where institutions can build robust and demonstrable security posture.

The first is that institutions need comprehensive visibility into all devices. This includes those that employees, or even third parties, have connected to the institution's networks. This is not an acceptable state in any regulated financial environment.

The second is that institutions have to move from periodic to continuous monitoring. This is not an acceptable approach in any environment that financial regulators in Southeast Asia are now mandating. Institutions need mechanisms that can create audit-ready evidence of control effectiveness over all devices.

The third is that institutions have to approach device access policy from a risk governance perspective. Deciding who can and cannot gain access to an institution's systems, from where, and under what conditions, is a fundamental risk-based decision. It has to have ownership at an executive level, not at an IT operations level.

The fourth is that institutions have to approach workforce readiness. This includes upskilling security operations staff in endpoint governance, not threat detection. This is an investment in an institution that will stand up under any level of scrutiny.

GoldFactory will not be the last campaign of its kind in Southeast Asia. This financial sector in Southeast Asia is growing, digitalising, and attracting significant and sustained cybercriminal attention.

It is not those financial institutions that have the largest security budgets that will thrive in these conditions. It is those that placed device governance on the executive agenda and can demonstrate it.