DeCYFIR CyfirmaCybersecurity

Financial services firms in APJ spend over $2 million in ransomware recovery costs — Sophos

Bolstering security postures proved to be far cheaper than paying for a ransomware attack. This is one of the findings in cybersecurity solutions company Sophos in its latest “The State of Ransomware in Financial Services 2021” survey.

The survey found that financial services organizations in the Asia Pacific and Japan (APJ) spent more than $2.62 million on average recovering from a ransomware attack. The global cross-sector average is $1.85 million.

According to Sophos, the financial services industry (FSI) is among the most resilient against ransomware. Still, the survey revealed that 35% of the financial services organizations surveyed in the region admitted to being hit by ransomware in 2020, and 69% of the respondents disclosed that their data were encrypted as a result of the attack.

Sophos discovers Gootloader mothership controls malicious content
Keep ransomware at bay with Sophos Managed Threat Response

“Strict guidelines in the financial services sector encourage strong defenses,” said John Shier, senior security advisor, Sophos. “Unfortunately, they also mean that a direct hit with ransomware is likely to be very costly for targeted organizations. If you add up the price of regulatory fines, rebuilding IT systems, and stabilizing brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organizations in APJ hit by ransomware in 2020 were in excess of $2.62 million.”


The State of Ransomware in Financial Services 2021 survey polled 5,400 IT decision-makers, including 550 in financial services organizations, in 30 countries across Europe, the Americas, Asia-Pacific, and Central Asia, the Middle East, and Africa.

The survey also found that 8% of financial services organizations globally experienced what is known as “extortion” attacks. While data is not encrypted victims are threatened that stolen data will be published online unless they pay the ransom. Sophos said backups cannot protect companies with this type of risk.

Complacency and the myth of “too small to become a prey” often cost small or mid-sized organizations their valuable data and budget. The survey found 11% of the financial organizations surveyed globally believe they won’t get hit because they are “not a target.”

“This is a dangerous perception because anyone can be a target,” Sophos said. “The best approach is to assume you will be a target and to build your defenses accordingly.”

Cyber defenses

Of the APJ financial services organizations that believe they’ll be hit by ransomware in the future, 54% said this is because attacks are now so sophisticated they have become harder to stop. Thirty-five percent (35%) feel they’ll become a target because other organizations in their industry have already been targeted with ransomware. Fifty-one percent (51%) believe that since ransomware is so prevalent, it is inevitable they’ll get hit by cybercrime.

“The financial sector has too much at stake to not set up an in-depth defensive plan to protect, detect and block cyberattackers,” said Shier. “While they should continue to invest in backups and their disaster recovery efforts to minimize the impact of an attack, they should also look to extend their anti-ransomware defenses by combining technology with human-led threat hunting to neutralize today’s advanced human-led cyberattacks.”