The Financial Conduct Authority received 116 reports of cyber security incidents in 2021, up from 76 in 2020.
According to a Freedom of Information Request by Picus Security in January, cyber incidents reported to the FCA saw an increase of 52 per cent last year.
Of the incidents reported, 65 per cent were due to cyber-attacks and approximately one third of incidents (37) contained notifications where the confidentiality of company or personal data may have been compromised or breached.
Suleyman Ozarslan, co-founder of Picus Security and VP of Picus Labs, said: “Financial services firms are amongst the best prepared and most highly capable organisations at detecting and responding to cyber incidents.
“Yet, despite investing heavily in security and data protection, it’s clear that many continue to experience challenges in these areas.”
Ozarslan said the large rise in cyber incidents reported to the FCA is a concerning trend and should serve as an important reminder to all firms about the need to make ongoing improvements in all areas of security.
“This is necessary to not only mitigate the risks posed by external threats but also those which arise due to IT failures and human error.”
According to the FCA, an incident may be material if it results in a significant loss of data, results in the unavailability or control of IT systems, affects a large number of customers and results in unauthorised access to information systems.
The FOI, which hoped to understand the degree to which cyber incidents impacted the UK finance sector in 2021, revealed that one in five incidents reported to the FCA in 2021 involved ransomware.
The month of March also saw the largest number of incidents reported over past year, with 21reports.
Ozarslan added: “Defending financial institutions against all the threats they face remains a tough challenge, made even harder by the growing attack surface.
“Only by validating security capabilities on a continuous basis can firms hope to measure their threat readiness more accurately and swiftly close the gaps needed to take their operational resilience to the next level.”
An “illegitimate” email sent from the address of one of the firm's chartered financial planners, Roger Clarke, on March 23 told recipients to click on a document link regarding an ‘agreement’ with the firm.
The subject line of the email, which was sent from the IFA’s server domain ‘theprivateoffice.com’, read: ‘Complete today (23/03/22) agreement from The Private Office’.
A day after The Private Office’s email server was hacked, the FCA published a warning to firms recommending they follow their actionable guidance “as a priority” to reduce their risk of “cyber compromise”.
The regulator linked to guidance laid out by the National Cyber Security Centre, designed to help firms increase their cyber security vigilance in response to Russia’s invasion of Ukraine.
The FCA told firms: “You should consider your ability, and that of your third-party providers, to withstand a cyber attack. You should take all appropriate steps to shore up your controls, including raising staff awareness: that may, for example, include re-running staff ethical phishing campaigns. Consider if your staffing levels are appropriate to deal with an elevated cyber risk.”
sonia.rach@ft.com
What do you think about the issues raised by this story? Email us on FTAletters@ft.com to let us know
