API Security Under Federal Scrutiny: A Wake-Up Call for CIOs

In one incident, a global domain and hosting provider suffered a breach in which attackers leveraged weaknesses in the provider’s API architecture to extract customer account information. The investigation revealed lapses in authentication controls and a lack of API-specific monitoring.

Similarly, a major telecom company exposed sensitive user data due to unprotected API endpoints. The issue stemmed from insufficient input validation and improper access restrictions — an oversight that drew the attention of federal regulatory agencies.

In both cases, these organizations had invested in traditional defenses but failed to apply the same rigor to APIs, which serve as the connective tissue of modern digital services.

A foundational requirement in nearly all compliance frameworks is maintaining a clear understanding of what assets you have and the type of data they handle. With APIs being developed and updated constantly, often by different teams or third parties, most organizations lack a complete and real-time API inventory. 

Organizations must be able to demonstrate the knowledge APIs in their environment, how each one is used — and, more importantly, identify any that are operating outside of their visibility or processes entirely.

Even if APIs are identified, it’s not always clear what data flows through them or whether they are properly secured. Many organizations can't determine API ownership, nor can they confirm whether the traffic is flowing through approved controls like web application firewalls (WAFs) or API gateways. 

According to our 2024 API Security Impact Study, only 27% of IT security professionals with full API inventories actually know which of their APIs return sensitive data — down from 40% in 2023. 

Moreover, there is often a disconnect between roles: Although 43% of the CIOs we surveyed believe they know which APIs return sensitive data, only 17% of CISOs share that view. These visibility gaps may lead to serious compliance violations if sensitive data, such as credit card information, personally identifiable data, or healthcare-related records are exposed.

Compliance isn’t just about knowing your assets. It’s about ensuring that misuse is detected and addressed in real time. Security teams need to be able to determine if someone was exploiting an API to extract customer data or gain elevated privileges.

For example, companies often are unable to detect subtle business logic abuse or prevent threats such as Broken Object Level Authorization from the OWASP Top 10 API Security Risks. These attack patterns are growing more frequent and often evade traditional perimeter tools.

Many organizations rely on functional testing alone and overlook the importance of security testing. Compliance frameworks increasingly call for security to be embedded from the start, making it essential to test APIs for vulnerabilities before deployment.

Because of these potential gaps in security, regulators are beginning to treat API security failures as direct violations of data protection laws, often resulting in enforcement actions, penalties, or mandated remediation efforts. The U.S. IT and security leaders (CIOs, CISOs, and CTOs) that we surveyed cited an average estimated cost of US$943,162  of the API security incidents they experienced over the past 12 months.

Companies are now expected to demonstrate not only security, but also compliance readiness across API ecosystems. Here’s how API security maps to key several common regulations.

• PCI DSS v4.0: Requires identifying and documenting all payment-related APIs, securing them with strong authentication, monitoring continuously, and limiting access to cardholder data

• GDPR: Mandates data minimization, access control, and data breach notification, all of which depend on securing APIs that handle personal data

• HIPAA: Dictates that protected health information accessed via APIs must be secured using encryption, role-based access, and audit logs

• DORA: Requires resilience testing and incident detection across all digital channels — including APIs, which must be monitored for anomalies and failure scenarios

An unprotected or undocumented API could mean noncompliance, whether it’s exposing cardholder data, health records, or failing to detect anomalies in regulated sectors.

CIOs who lead digital infrastructure and risk initiatives must take a deliberate and structured approach to API security. The first priority: Full visibility into the API environment must be established. Without a real-time inventory across cloud, on-premises, and hybrid environments, it's nearly impossible to secure or audit API use effectively.

Next, security must be embedded by design. This includes implementing strong authentication, validating all inputs, and applying least privilege access across every API in the organization. Observability is equally essential. Monitoring API traffic in real time enables teams to detect anomalies early and respond before risks escalate, which is an important requirement for many regulatory frameworks.

Security efforts should also be mapped directly to compliance requirements. Maintaining a clear alignment between API controls and frameworks like PCI DSS, GDPR, HIPAA, and DORA allows organizations to demonstrate progress, document evidence, and prepare for audits with confidence.

Finally, resilience must be tested continuously. APIs should be part of your broader security testing strategy and operational resilience planning, not an afterthought. Especially for organizations in the European Union under DORA, the ability to simulate attacks, evaluate failure scenarios, and ensure continuity is becoming a baseline expectation.

Akamai API Security helps organizations simplify compliance and reduce risk exposure by providing a full lifecycle approach to API protection. It supports key compliance requirements with:

• Comprehensive discovery and inventory: Continuously discovers and classifies all APIs, including shadow and zombie APIs, to maintain visibility and meet documentation requirements under frameworks like PCI DSS and GDPR

• Risk and posture assessment: Maps findings to major compliance frameworks (e.g., PCI DSS, ISO 27001, GDPR, HIPAA) to identify misconfigurations or vulnerabilities that could result in noncompliance

• Behavioral threat detection: Detects behavioral anomalies, business logic abuse, and improper data exposure that traditional tools often miss, supporting the operational resilience goals of DORA

• Centralized visibility with a compliance dashboard: Provides a centralized view of compliant vs. noncompliant APIs, tracking posture trends over time and simplifying audit preparation

• Seamless integration with security ecosystem: Integrates with security information and event management (SIEM) systems, ticketing systems, and workflow tools to help generate evidence of compliance and to streamline incident response

API-related incidents are no longer considered isolated technical issues. They are compliance failures with regulatory consequences. As federal scrutiny intensifies, technical CIOs must ensure that API security is not just implemented, but operationalized and auditable. By treating APIs as first-class citizens in your security and compliance programs, you not only reduce risk but also future-proof your enterprise against emerging regulations and threats.