Ransomware attack in APAC tagged at $2.6 million

Photo by JP Valery

Mid-sized financial services organisations in Asia Pacific and Japan (APJ) spent more than US$2.62 million on average recovering from a ransomware attack, according to The State of Ransomware in Financial Services 2021 report from Sophos.

This amount exceeds the global cross-sector average of US$1.85 million even though the results also show the financial sector is among the most resilient against ransomware. 

It covered 5,400 IT decision makers, including 550 in financial services organisations, in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa.

Financial services is among the most highly regulated industries in the world. Organisations must adhere to myriad regulations, including SOX, GDPR, and PCI DSS, that include pricey penalties for non-compliance and data breaches. 

Many of these organisations are also required to prepare business continuity and disaster recovery plans to minimise any potential damage from data breaches or operational disruptions stemming from a cyberattack.

“If you add up the price of regulatory fines, rebuilding IT systems and stabilizing brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organisations in APJ hit by ransomware in 2020 were in excess of $2.62 million,” said John Shier, senior security advisor at Sophos.

Shier also noted that a small, but significant, 8% of financial services organisations globally experienced what are known as “extortion” attacks, where data is not encrypted, but stolen and victims are threatened with the online publication of their data unless they pay the ransom. Backups cannot protect against this risk, so financial services organisations should not rely on them as an anti-extortion defense. 

Further, 11% of the financial organisations surveyed globally believe they won’t get hit because they are “not a target.”

“This is a dangerous perception because anyone can be a target. The best approach is to assume you will be a target and to build your defences accordingly,” said Shier.

Of the APJ financial services organisations that believe they’ll be hit by ransomware in the future, 54% said this is because attacks are now so sophisticated they have become harder to stop. 

Also, 35% feel they’ll become a target because other organisations in their industry have already been targeted with ransomware while 51% believe that since ransomware is so prevalent that it is inevitable they’ll get hit by the cybercrime.

“While they [financial services organisations] should continue to invest in backups and their disaster recovery efforts to minimize the impact of an attack, they should also look to extend their anti-ransomware defences by combining technology with human-led threat hunting to neutralise today’s advanced human-led cyberattacks ” said Shier.