Sophos has found mid-sized financial services organisations in Asia Pacific and Japan (APJ) spent more than US$2.62 million on average recovering from ransomware attacks.
The report, The State of Ransomware in Financial Services 2021, shows the figure exceeds the global cross-sector average of US$1.85 million, even though the results also found the financial sector among the most resilient against ransomware. The survey studied the extent and impact of ransomware attacks during 2020.
Other findings from the report include:
- 35% of the financial services organisations surveyed in APJ were hit by ransomware in 2020.
- 69% of the organisations impacted said the attackers succeeded in encrypting their data.
Financial services is one of the most highly regulated industries in the world. Organisations must adhere to innumerable regulations, including some with expensive penalties for non-compliance and data breaches, such as SOX, GDPR, and PCI DSS. Many of these organisations are also required to prepare business continuity and disaster recovery plans to minimise any potential damage from data breaches or operational disruptions stemming from a cyberattack.
"Strict guidelines in the financial services sector encourage strong defences," says Sophos senior security advisor, John Shier.
"Unfortunately, they also mean a direct ransomware hit is likely to be very costly for targeted organisations. Add up the price of regulatory fines, rebuilding IT systems and stabilising brand reputation, especially if customer data is lost. You can see why the survey found that recovery costs in 2020 for mid-sized APJ financial services organisations were over $2.62 million."
Two other concerning data points include a small but significant 8% of financial services organisations globally experiencing extortion attacks, where data is not encrypted but stolen. Victims are threatened with the online publication of their data unless they pay the ransom. Backups cannot protect against this risk.
And 11% of global financial organisations surveyed believe they won't get hit because they are not a target. Sophos says this is a dangerous perception, as anyone can be a target. It says the best approach is to assume you will be a target and build your defences accordingly.
Of the APJ financial services organisations that believe they'll be hit by ransomware in the future, 54% of respondents say this is because attacks are now so sophisticated they have become harder to stop. Thirty-five percent feel they'll become a ransomware target because other organisations in their industry already have. And 51% believe that since ransomware is so prevalent, it is inevitable they'll get attacked.
"The financial sector has too much at stake to not set up an in-depth defensive plan to protect, detect and block cyberattackers," says Shier.
"While they should continue to invest in backups and disaster recovery efforts to minimise the impact of an attack, they should also look to extend their anti-ransomware defences by combining technology with human-led threat hunting to neutralise today's advanced human-led cyberattacks."
The survey polled 5,400 IT decision-makers, including 550 in financial services organisations, in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa.