There has been a steep increase in the number of cyber incidents reported to the Financial Conduct Authority (FCA) by financial services firms last year.
Data obtained by accountancy firm RSM under a Freedom of Information request showed financial services firms reported 819 cyber incidents to the FCA in 2018, an increase on the 69 incidents reported in 2017.
The National Cyber Security Centre describes a cyber incident as a "breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems".
According to the data retail banks made the highest number of reports (486) – almost 60 per cent of the total. This was followed by wholesale financial markets with 115 reports and retail investment firms with 53.
The sectors that reported the least number of cyber incidents were investment management (29) - 4 per cent of the total, followed by pensions and retirement income (35) and general insurance and protection (49).
But RSM thought the actual number of incidents could be even higher.
Steve Snaith, a technology risk assurance partner, said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator.
"It also reflects the increased onus on security and data breach reporting following the General Data Protection Regulation (GDPR) and recent FCA requirements.
"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA."
Number of cyber incidents reported to the FCA broken down by the sector:
Impacted sector | 2018 | % of incidents | ||
Retail banking | 486 | 59% | ||
Wholesale financial markets | 115 | 14% | ||
Retail investments | 53 | 6% | ||
Retail lending | 52 | 6% | ||
General insurance and protection | 49 | 6% | ||
Pensions and retirement income | 35 | 4% | ||
Investment management | 29 | 4% | ||
Total | 819 | 100% |
One fifth (21 per cent) of the cyber incidents were caused by a third party failure, compared with 19 per cent being hardware/software issues and 18 per cent being due to a change in management.
There were also 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20 per cent were ransomware attacks.
In November, the FCA warned of a significant rise in outages and cyber-attacks affecting financial services firms and called on regulated firms to develop greater cyber resilience to prevent attacks.
Mr Snaith said: "While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.
"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff."
He added: "Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss.
"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."
The root causes of cyber incidents reported to the FCA:
Root cause | 2018 (Jan-Dec) | % of incidents | ||
3rd party failure | 174 | 21% | ||
Hardware/software | 157 | 19% | ||
Change management | 146 | 18% | ||
Cyber attack | 93 | 11% | ||
TBC | 93 | 11% | ||
Human error | 47 | 6% | ||
Process/control failure | 45 | 5% | ||
Capacity management | 25 | 3% | ||
External factors | 17 | 2% | ||
Theft | 11 | 1% | ||
Root cause not found | 11 | 1% | ||
Total | 819 | 100% |
According to a Freedom of Information (FOI) request submitted by think tank Parliament Street to HMRC last month (June 7) in the past three years taxpayers submitted 2,602,528 reports of phishing via email, phone and other methods to the tax office.
In the 2016/17 tax year the highest number of reports were received by HMRC at 921,900. In 2017/18 there were 782,982 reports and 2018/19 totalled 897,649, an increase of 15 per cent on the previous year.
Phishing emails based on tax rebates were the most popular, with a total of 1,957,003 reports made about them.
amy.austin@ft.com
What do you think about the issues raised by this story? Email us on fa.letters@ft.com to let us know