The 2025 API Security Impact Study highlights the financial and operational challenges faced by Asia-Pacific enterprises due to application programming interface (API) security incidents. The study underscores a troubling disconnect between awareness of API vulnerabilities and the actual commitment to securing these critical components.
Source: 2025 API Security Impact Study, Akamai Technologies
The study reveals that 85% of organizations experienced at least one API-related security incident in the past year, with the average cost of these incidents exceeding US$580,000. Despite the rising awareness of API risks, many companies struggle with visibility into their API ecosystems and the sensitive data they manage.
“APIs are essential for modern digital infrastructure, powering services from mobile banking to connected vehicles. However, our research indicates that organizations in Asia-Pacific are finding it difficult to secure them effectively,” stated Reuben Koh, director of Security Technology & Strategy at Akamai Technologies. He emphasised the need for companies to reach a consensus on the root causes and impacts of API security incidents to develop comprehensive security strategies.
Key findings:
- China leads in API security prioritization: Chinese respondents ranked securing APIs as their top cybersecurity priority. However, there was a significant gap in cost estimations, with C-suite executives estimating API incident costs at CN¥3.75 million (US$517,000) while front-line security staff estimated it at CN¥6.7 million (US$925,000).
- India shows internal disconnects: In India, 77% of C-suite leaders claimed to have complete API inventories, but only 41% of application security (AppSec) professionals agreed. Additionally, just 11% of AppSec teams were aware of which APIs exposed sensitive data.
- Japan deprioritizes API risks: Despite 96% of energy and retail organisations reporting recent API incidents, API security ranked fourth on Japan’s cybersecurity priority list. AppSec teams noted reputational damage as the top consequence of API incidents.
- Australia faces high incident rates: Australia reported the highest incident rate (95%) and incurred significant financial impacts (AU$493,000 on average). Yet, only 6% of organisations conducted regular comprehensive API vulnerability testing.
Disconnect between risk and response
The study highlights a critical gap between perception and reality. While 92% of APAC executives acknowledged experiencing an API incident, only 37% confirmed knowledge of which APIs exposed sensitive data. Testing remains inconsistent, with real-time API testing rates low across the region.
“API abuse is not a theoretical concern; it has real financial and reputational consequences,” added Koh. He urged leadership teams to align more closely with security and AppSec professionals, investing in the necessary tools and processes to safeguard API technology.
Compliance challenges
The study also found that while many organizations consider API security in their compliance programs, only 41% incorporate APIs into risk assessments. With regulatory frameworks like China’s Data Security Law and Australia’s Consumer Data Right regulation emerging, the urgency to address API risks in compliance strategies is growing.
To build resilience, organisations should prioritise a full inventory of APIs, regular testing, and runtime detection to distinguish between normal and abnormal API activity. As APIs become fundamental to digital business, a comprehensive approach to securing them is essential.