Exponential Increase In Reported Cyber Incidents By Financial Services

819 cyber incidents were reported to the Financial Conduct Authority (FCA) in 2018 by the Financial Services sector.

According to data, compiled by risk assurance firm RSM, the number of reported cyber incidents had increased exponentially from the 69 reported cases in 2017.

Whilst this may indicate that financial services and those connected to the sector are facing a huge rise in cyber attacks, it could also highlight an improvement in the awareness of reporting attacks to the relevant regulator.

59% (486) of the attacks were reported by retail banks, 14% (115) reported by wholesale financial markets with 6.4% (53) reported by retail investment firms.

Over a fifth (21%) of all reports were attributed to potential data breaches caused by third party failures.

Almost a fifth (19%) also suffered from compromises arising from company hardware or software with a change in management resulting in 18% of cyber vulnerabilities.

In total, the data revealed that 93 of the reported cases were considered full cyber attacks, 50% of which used phishing tactics and a fifth of attacks used ransomware.

Steve Snaith, a Technology Risk Assurance Partner at RSM said:

“While the jump in cyber incidents among financial services firms looks alarming, it’s likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.

“However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.

“As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.

“The figures also underline the importance of organisations obtaining third party assurance of their partners’ cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.

“Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.

“Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place.”