API Security Risks in Financial Services

See why 96% of financial firms faced API incidents. Gain insights into AI-linked threats, misconfiguration risks, and cost-saving security strategies.

Key takeaways

Financial services organizations face frequent API incidents, led by data leaks and AI-linked attacks. AI applications, agents, and large language models (LLMs) depend on APIs to reach sensitive systems and customer records. In financial services, these same APIs have become high-value targets. Financial services also stands out for incident frequency: Nearly half of organizations that were hit reported four or more separate events.

Lack of visibility into sensitive customer and payment data flows is a critical gap. Most financial services organizations maintain a full API inventory, yet only 27% also know which APIs return sensitive data. Since these APIs handle personal financial information, account details, and payment data governed by PCI DSS, DORA, and GDPR, the visibility gap is especially concerning.

Financial services leaders claim to prioritize API security, but gaps remain in practice. Protecting AI technologies against attack is now the leading cybersecurity priority across the sector. At the same time, 74% of financial services leaders reported a sharper focus on API security in the past year, driven by rapid API growth from AI and digital initiatives, along with regulatory pressure and audit findings.

Unfortunately the browser/OS you are accessing this page from does not support this functionality. You can access the PDF here

Frequently Asked Questions (FAQ)

Nearly all financial services organizations (96%) reported at least one API-related security incident in 2025, with almost half (48%) experiencing four or more incidents within a 12-month span.

The average annual financial impact is approximately US$620,000, with the highest costs reported in China, Singapore, and Japan, and above-average costs in Brazil and the U.K.

Data breaches or leaks via APIs are the most common incident type (40%), followed very closely by attacks specifically targeting AI-linked APIs (39%).

API misconfiguration is the number one underlying cause, cited by 65% of financial services leaders as the source of ongoing operational and governance gaps.

While 78% of organizations claim a full inventory, 51% do not know which APIs return sensitive data, creating immediate compliance risks for those governed by PCI DSS, DORA, and GDPR.

Security testing maturity is low, as only 17% of financial services organizations have embedded security testing at every stage of the API SDLC and CI/CD pipeline.

Leaders should prioritize continuous automated discovery of all endpoints, advance testing beyond functional checks, and layer dedicated runtime protection to block AI-specific attacks.

Akamai Cloud

Akamai Security

Our global infrastructure

API Security Risks in Financial Services

Key takeaways

Frequently Asked Questions (FAQ)

Frequently Asked Questions (FAQ)

Frequently Asked Questions (FAQ)

How common are API security incidents in the financial services sector?

What is the average financial impact of an API security incident for these organizations?

Which types of API incidents occur most frequently in this industry?

What is the primary root cause of API security incidents for financial firms?

Why is the current level of API visibility considered insufficient for compliance?

How many organizations have successfully integrated security testing into their development pipeline?

What specific actions should leaders take to secure AI-driven API growth?