Ransomware is very much a reality for the finance industry, as revealed in Sophos’ State of Ransomware in Financial Services 2021 report. Based on an independent survey of 550 IT decision makers, it explores the extent and impact of ransomware attacks on mid-sized finance organization worldwide during 2020.
Overall, 34% of the financial services organizations surveyed were hit by ransomware in 2020, and 51% of the organizations impacted said the attackers succeeded in encrypting their data.
Preparation pays off
A quarter (25%) of financial services organizations whose data was encrypted paid the ransom to get their data back. This is lower than the cross-sector average of 32%, and likely a result of the sector’s above average ability to restore data from backups.
It appears that financial services are reaping the benefits of having Business Continuity and Disaster Recovery (BC-DR) plans which prepare them for situations like a ransomware attack. Given that financial services organizations that paid the ransom got back just 63% of their data on average, companies are wise to focus on backups as their primary data recovery method.
Overall, the financial services sector stands out as the only sector where all organizations whose data was encrypted managed to get at least some of it back. Again, it’s likely that financial organizations’ disaster recovery work has prepared them well for a ransomware attack.
Winning the battle, losing the war
When it comes to the actual ransoms paid, financial services come in considerably below average with an average payment of US$69,369 compared to the cross-sector average of US$170,404 (Note: the low number of financial services respondents to this question means the finding is indicative rather than statistically significant.)
The good news stops there, however. The overall ransomware recovery cost for financial services is around a quarter of a million dollars higher than the global average (US$2.10 million vs. US$1.85 million). This is likely due to high spending on remediation measures to keep operations running at all costs, and the high costs of data breach notification, reputational damage, and regulatory fines that all impact this sector. As John Shier, senior security advisor at Sophos, explains:
Strict guidelines in the financial services sector encourage strong defenses. Unfortunately, they also mean that a direct hit with ransomware is likely to be very costly for targeted organizations. If you add up the price of regulatory fines, rebuilding IT systems and stabilizing brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organizations hit by ransomware in 2020 were in excess of $2 million.
A target for extortion-only attacks
Another worrying data point is the fact that a small, but significant, 8% of financial services organizations hit by ransomware experienced what are known as ‘extortion’ attacks, where data is not encrypted, but stolen and victims are threatened with the online publication of their data unless they pay the ransom. Backups cannot protect against this risk, so financial services organizations should not rely on them as an anti-extortion defense.
Read the full report
To learn more about the impact of ransomware on finance, read the full State of Ransomware in Financial Services 2021 report.