Akamai Technologies has released its latest 2025 API Security Impact Study, offering an in-depth analysis of the hidden vulnerabilities, financial impacts, and operational challenges caused by application programming interface (API) security incidents in the largest Asia Pacific economies.
Based on the study, despite a growing awareness of API vulnerabilities, the commitment to API security from senior leadership and security teams across the region has not kept pace, resulting in costly API attacks that underscore the urgent need to reach a consensus on where API security fits into their cybersecurity priorities.
The study, which surveyed more than 800 IT and security professionals across China, India, Japan, and Australia, paints a stark picture of the escalating risks enterprises face from insecure APIs. With APIs now the backbone of modern digital infrastructure, 85% of organisations in the region reported at least one API-related security incident in the past 12 months.
The financial impact is equally concerning, with the average estimated cost of API security incidents reaching more than USD580,000 across the surveyed markets. However, many enterprises still lack visibility into their API ecosystems and the sensitive data they expose.
“APIs have become mission-critical, powering everything from mobile banking to connected vehicles. But our research shows that organisations across Asia-Pacific are struggling to secure them,” said Akamai Technologies Regional Security Director Reuben Koh. “It is crucial for organisations to reach a consensus on the root cause, impact, and priority levels of API security incidents so that they can implement holistic security strategies to protect critical APIs from development to runtime.”
Key findings for Asia-Pacific include:
-
China leads in API security prioritisation, but gaps remain: Chinese respondents were the only group to rank ‘securing APIs from threat actors’ as their top cybersecurity priority. However, cost perceptions varied widely, with C-suite executives estimating API incident costs at USD517,000, and front-line security staff estimating it closer to USD925,000.
-
India reveals sharp internal disconnects: While 77% of Indian C-suite leaders claimed to have full API inventories, only 41% of AppSec professionals agreed. This disconnect extends to sensitive data awareness, with just 11% of AppSec teams confident that they know which APIs return sensitive data.
-
Japan deprioritises API risks despite industry exposure: API security ranked just fourth on the country’s cybersecurity priority list, even as 96% of organisations in the energy and retail industries reported recent API incidents. Japanese AppSec teams cited reputational damage with boards and executives as the top consequence.
-
Australia hit the hardest by incidents but was slowest to respond: Australia saw the highest incident rate (95%) and incurred significant financial impacts (AUD493,000 on average) yet had the lowest percentage of organisations regularly conducting comprehensive API vulnerability testing (6%).
-
C-suite awareness is high, but operational visibility is low: 92% of APAC executives said their organisations experienced an API incident in the past 12 months, but only 37% of all respondents could confirm that they know which APIs expose sensitive data.
-
Testing remains inconsistent: Despite high incident rates, only a small percentage of respondents across the region reported real-time API testing, with China at 22%, India at 15%, Japan at 11%, and Australia at 6%.
These disconnects reflect a broader challenge: Organisations are deploying APIs faster than they can secure them, creating fertile ground for attackers.
“The problem is no longer theoretical. API abuse is happening right now, with real financial and reputational costs,” added Koh. “Leadership teams must close the gap with security and AppSec professionals working closer together and invest in the right tools, processes, and alignment to protect this critical technology.
The study also found that while the majority of organisations factor API security into their compliance programs, few are doing so holistically. Only 41% incorporate APIs into risk assessments and just 40% factor APIs into reporting requirements. Japan also lagged behind other countries in the region in recognising API-related compliance requirements, with 22% stating that they do not factor API security into their compliance efforts.
From China’s Data Security Law to Australia’s Consumer Data Right regulation, the need to account for API risks in compliance and security frameworks is growing rapidly. As APIs become the connective tissue of digital business, securing them requires a deliberate, end-to-end approach.
The study offers recommendations that organisations across Asia-Pacific should prioritise to build lasting resilience, including undertaking a full inventory of APIs, regular testing to ensure APIs are coded correctly, implementing runtime detection to differentiate between “normal” and “abnormal” API activity, and more.
You can read the full study here.
