Sophos‘ new survey report, “The State of Ransomware in Financial Services 2021,” shows 2020 was an expensive year for those unlucky companies victimized by ransomware attacks
Mid-sized financial services organizations worldwide spent an average of more than $2 million recovering from a ransomware attack. Even though financial services organizations are fairly resilient against cyberthreats, thanks to robust backups and continuity plans, the costs they incur recovering from a ransomware attack are among the highest, exceeding the global average of $1.85 million.
One in three financial services firms were hit by ransomware in 2020, and 51 per cent said attackers succeeded in encrypting their data. That act did not compel many to pay, however, at 25 per cent, the financial services industry had the second-lowest payment rate for ransom demands of any industry surveyed (the global average was 32 per cent).
“Strict guidelines in the financial services sector encourage strong defenses,” Sophos senior security advisor John Shier said. “Unfortunately, they also mean that a direct hit with ransomware is likely to be very costly for targeted organizations.
“If you add up the price of regulatory fines, rebuilding IT systems and stabilizing brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organizations hit by ransomware in 2020 were in excess of $2 million.”
The survey reveals a few more concerns, Shier observed. Roughly eight per cent of financial services firms were hit with extortion attacks, where data is not encrypted, but the criminals threaten to publish the data online if the ransom is not paid.
“Backups cannot protect against this risk, so financial services organizations should not rely on them as an anti-extortion defense,” Shier cautioned. “Further, 11 per cent of the financial organizations surveyed believe they won’t get hit because they are ‘not a target.’ This is a dangerous perception because anyone can be a target. The best approach is to assume you will be a target and to build your defenses accordingly.”