Ransomware has become a new cost of doing business for many organizations, and the financial services sector is not immune.

A new report by Sophos showed financial services organizations paid about $2.1 million on average to recover from a ransomware attack, about a quarter of a million dollars more than the global average of $1.85 million.

Sophos commissioned a global survey of 5,400 IT managers across 30 countries by an independent researcher, including 550 respondents from the financial services sector, for its State of Ransomware in Financial Services 2021 report. The survey was conducted in January and February 2021.

Of the 34% of financial services organizations who said they were hit by ransomware, more than half (51%) said the attackers succeeded in encrypting their data.

But preparation paid off for the financial sector as it fared better than other verticals in getting at least some of its data back. More than 9 in 10 respondents, 91%, said they had business continuity and disaster recovery plans. Of those that had data encrypted in an attack, 62% said they used backups to restore their data. However, those who paid a ransom — a quarter of respondents — got back just 63% of their data on average.

The report noted that the higher cost of recovery for financial services than other sectors was due to keeping operations running and high costs of data breach notifications for the financial sector, among others.

“Strict guidelines in the financial services sector encourage strong defenses. Unfortunately, they also mean that a direct hit with ransomware is likely to be very costly for targeted organizations, John Sheir, Sophos senior security advisor, said in a statement. “If you add up the price of regulatory fines, rebuilding IT systems and stabilizing brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organizations hit by ransomware in 2020 were in excess of $2 million.”