New FinCEN Ransomware Report: Banks Must Contain Materiality Risk

There’s good news about ransomware? We’ll take it!

According to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), banks paid $370 million in ransom payments in 2024. That’s a meaningful drop from the $1.1 billion the previous year.  

This decline reflects stronger law enforcement actions against ransomware gangs and growing resilience across the financial sector.

The not-so-good news: the report acknowledges most ransomware incidents in banking never get reported. Why? Banking industry incident disclosure laws hinge on materiality.

In this industry, materiality — the finacial impact, not how often attacks happen — is what determines whether a breach must be disclosed, flagged to regulators, or explained to the board.  

It’s a risk metric and a moving target. While it limits what gets reported, it also means it only takes one breach to trigger public fallout.

That’s why breach containment is essential for the financial sector. It's the most reliable way to ensure a cyber incident stays small and non-material before it snowballs into a business crisis.

This post unpacks the latest ransomware trends in financial services, how materiality shapes reporting obligations, and why containment is your best defense against regulatory risk and reputational damage.

Ransomware trends in financial services: key findings from the latest report

According to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) newest report, Ransomware Trends in Bank Secrecy Act Data Between 2022 and 2024, the financial services sector is the hardest hit by ransomware, alongside manufacturing and healthcare.

Between January 2022 and December 2024, financial institutions filed 7,395 Bank Secrecy Act (BSA) reports related to 4,194 ransomware incidents. They reported over $2.1 billion in ransom payments.  

This data underscores just how much risk the financial sector carries. With a high concentration of sensitive data, critical systems, and valuable assets, it’s an obvious and frequent target for ransomware attackers.

There is some encouraging news: ransom payments are trending down. The median payment dropped from $175,000 in 2023 to $155,257 in 2024.

Still, FinCEN warns that these numbers likely don’t capture the full picture. Many incidents never make it into official reports, meaning the actual scale of ransomware activity is probably much higher.

Not all organizations air their dirty ransomware laundry

The reality is that many security incidents never get reported, especially in financial services. There’s often no requirement to report them.

FBI estimates that only about 15% of all cybercrimes are reported, including ransomware attacks.  

Reporting rules are limited because many laws only apply when sensitive data is exposed. On top of that, materiality thresholds are often vague, which leaves room for interpretation and lets many incidents stay out of view.

How the SEC’s definition of materiality effects what gets reported

Under U.S. Securities and Exchange Commission (SEC) rules, publicly traded financial institutions must disclose “material” cyber incidents within four business days. Material means the incident could affect investors or the company’s financial health.

The challenge is that materiality is subjective. If core systems recover fast or no sensitive financial data is exposed, many firms decide the incident is not material and does not need disclosure.

Most breach‑notification laws in finance apply only when personal or customer financial data is involved.  

If ransomware encrypts systems but does not touch sensitive records, reporting rules may not apply. In many of these cases, the incident goes unreported.

Other considerations for bank breach reporting

Meanwhile, private banks and non-public financial institutions often aren’t required to report cyberattacks.  

Unless specific rules apply, they can choose whether or not to disclose an incident. Without legal pressure, many attacks stay hidden.

The decision isn’t just about rules. Banks also worry about the damage a public breach can cause. They risk fines, lawsuits, and a loss of customer trust.

To avoid this, some firms pay the ransom quietly. Others rely on backups to restore systems fast.  

If operations return to normal quickly, the incident often stays private, especially in banking where keeping services running is critical.

Why materiality is the real risk in banking

For financial organizations, materiality is the only metric that matters when the pressure is on.  

You already know the drill — every time something breaks, bank security teams are asking:

• Will this hit liquidity?  
• Will regulators call?  
• Will the board want answers?

With ransomware, one breach can flip the materiality switch fast. It could take you from quiet recovery to an all-out PR disaster requiring mandatory breach reporting.  

Containment is the financial sector’s best defense

It’s helpful to understand the size of the ransomware problem in banking, but that’s not what your board cares about. They aren’t tracking global attack volumes or median ransom payments.

They care about one thing: Will this attack become material?

Materiality means business impact. If an attack becomes material, it can disrupt core systems, expose sensitive data, damage trust, and trigger regulatory penalties under rules like the EU’s Digital Operations and Resilience Act (DORA) and the Federal Financial Institutions Examination Council (FFIEC).

That’s why breach containment is key. It keeps incidents small, blocks lateral movement, shrinks the blast radius, and keeps you below the materiality threshold.

Containment is how you avoid public disclosure. It’s how you stay out of headlines — and out of the SEC’s four-day reporting window.

Prepare for ransomware attacks with Illumio

Your security team protects your network like linebackers protect the end zone. Containment is the best move to keep a cyber incident from becoming material.

With breach containment from Illumio, even if attackers get in, the damage stays small. They can’t move across your network, hit critical systems, or steal sensitive data.

Here’s what Illumio helps you do:

• Shrink the blast radius. Block common attack paths like remote desktop protocol (RDP), server message block (SMB), and PsExec across banking systems. ‍
• Stop double extortion. Limit access to financial data and customer records. ‍
• Stay compliant. Meet FFIEC, DORA, and SEC rules by keeping breaches below the materiality threshold.

You can’t control when laws change or what attackers try, but with Illumio, you can control how far an attack goes.

When the stakes are material, containment isn’t optional

The takeaway from FinCEN’s latest ransomware report is about what those numbers fail to capture.

Ransomware isn’t going away, and in financial services, it only takes one breach is enough to cross the materiality threshold and trigger everything that comes with it: regulatory scrutiny, public disclosure, reputational damage, and financial loss.

The truth is that security leaders in banking and insurance aren’t measured by how many attacks they prevent but by whether incidents become business events.  

That’s why breach containment has to be the strategy. It's the difference between a contained threat and a crisis that makes headlines.

Try Illumio Insights free today to get AI-powered observability and one-click containment for your hybrid multi-cloud banking environment.