Research · INV-06

Cyber Resilience in the Financial Sector: Only 22% of Entities Pass a Ransomware Stress Test

Fernando Arrieta·December 11, 2025

ResilienceFinancial SectorRansomwareStress Test

Overview

About this research

Ransomware attack simulation (cyber-resilience stress test) conducted on 18 medium-sized financial entities (Fintechs, Digital Wallets, Niche Banks) in Argentina, Brazil, and Colombia demonstrated that only 22% critical services recovery under 4 hours without transactional data loss. The remaining 78% failed at least one success criterion: 45% had immutable backups that turned out to be compromised or inaccessible during simulation; 33% failed to restore banking core within the Recovery Time Objective (RTO) defined in their BIA; and 50% lacked effective crisis communication procedures, leading to news leaks before containment. Post-mortem analysis revealed that reliance on external IT providers for incident response is the most critical failure factor: entities managing response with internal teams had a 60% success rate, versus 10% for those fully dependent on third parties. A specific resilience stress test framework for the regional financial sector was developed.

Key findings

What the research found

Central questions answered with verifiable data from the study.

How many entities pass the stress test?

Only 22% recover in <4 hours without data loss.

What is the most common failure?

Containment and communication (50%), compromised backups (45%), core restoration failure within RTO (33%).

Which factor influences success most?

Internal response capacity. 60% success with internal team vs. 10% with external dependency.

Methodology

How we conducted the research

Steps completed, sources consulted, and evidence collected during the study.

Normative and theoretical framework: DORA (Digital Operational Resilience Act - principles); ISO 22301:2019 (Business Continuity); NIST SP 800-160 Vol 2 (Cyber Resilient Systems); Local regulations (BCRA A7724, CMF 454, SFC 007).

01Ransomware attack simulation (tabletop + technical) in 18 financial entities

02Immutable backup restoration test under pressure (limited time)

03Evaluation of crisis decision-making and communication process

04Measurement of actual recovery times (Real RTO vs. Theoretical RTO)

Deliverables

Available deliverables

Documents with the full results of this research, adaptable to each organization’s context.

Financial Resilience Report LATAM — results of 18 stress tests

Cyber-resilience Stress Test Framework for financial sector

Download Audit Material

Request the complete methodological package for research [INV-06]. Institutional use only.

Tratamiento de datos confidencial según ISO/IEC 27001

Related research

Complementary studies

Research that extends or contrasts the findings of this study.

Industrial Cybersecurity (OT): 82% of Critical Networks Lack Effective SegmentationINV-04 Shadow AI in LATAM: 73% of Certified Organizations Run AI Without OversightINV-01 Financial CybersecuritySystem Business ContinuitySystem AI AuditSystem AI GovernanceSystem Information SecuritySystem

Share this research

Help circulate evidence-based governance.

Share on LinkedIn Share on X Share via email

Does this research apply to your organization?

If the question is institutional and has context, we can guide you on the next steps.

Start a conversation View all research

Cargando

Preparando la información solicitada…