APAC’s financial institutions have become the primary global target for sophisticated cyberattacks, as rapid digital banking adoption outpaces security maturity across the region.
Akamai’s latest State of the Internet Security report reveals that APAC accounted for 52% of all global application-layer (Layer 7) distributed denial-of-service (DDoS) attacks against financial services in 2025—marking the fourth consecutive year the region has led in such threats.
The findings underscore a growing imbalance between innovation and risk. As banks accelerate digital transformation—rolling out real-time payments, mobile banking services and API-driven ecosystems—the attack surface has expanded significantly.
Akamai reports that banking and fintech sectors bore the brunt of Layer 7 DDoS attacks in APAC, representing 44% and 38% respectively, while traditional network-layer attacks overwhelmingly targeted banks, accounting for 92% of incidents.
Unlike volumetric attacks, Layer 7 DDoS threats are more difficult to detect as they mimic legitimate user behaviour, overwhelming login portals, payment gateways and customer-facing applications. The complexity of modern financial architectures—often combining legacy infrastructure with cloud-native services—has further compounded the challenge.
A critical vulnerability lies in API visibility. Despite 77% of financial services IT and security leaders in APAC believing they have full oversight of their API ecosystems, only 27% can identify which APIs expose sensitive data.
This disconnect is particularly concerning given that 96% of financial institutions globally reported at least one API-related security incident in the past year, the highest among all industries.
Akamai attributes part of this surge to a 147% increase in advanced bot activity in late 2025, with AI-powered botnets capable of bypassing traditional detection methods.
“APAC’s banks and fintechs sit at the centre of one of the world’s fastest-moving digital financial environments,” said Reuben Koh, director of security technology and strategy, APJ at Akamai. “If an institution does not know which APIs exist, which ones expose sensitive data, or how they are supposed to behave, it is already operating with an elevated level of risk.”
The report calls for a shift in mindset—from viewing cybersecurity as a compliance requirement to embedding it as a core pillar of operational resilience. This includes strengthening defences against application-layer attacks, deploying advanced API security solutions, and leveraging AI-driven threat detection to respond in real time.
Emerging practices such as microsegmentation are also gaining traction. Organisations that have implemented such strategies—isolating critical systems to limit lateral movement—were able to respond to incidents 33% faster, providing a measurable resilience advantage.
Industry analysts have echoed these concerns. Gartner notes that by 2026, more than 50% of enterprise APIs will be unmanaged, increasing exposure to security breaches.
Similarly, research from IBM highlights that the financial sector continues to face the highest cost of data breaches globally, averaging over USD 5.9 million per incident.
As APAC’s financial ecosystem continues to evolve at pace, the Akamai report signals a clear imperative: security strategies must scale just as quickly as innovation, or risk becoming the weakest link in the region’s digital growth story.
