Financial Conduct Authority  

Number of cyber incidents jumps 1087%

Number of cyber incidents jumps 1087%

There has been a steep increase in the number of cyber incidents reported to the Financial Conduct Authority (FCA) by financial services firms last year.

Data obtained by accountancy firm RSM under a Freedom of Information request showed financial services firms reported 819 cyber incidents to the FCA in 2018, an increase on the 69 incidents reported in 2017.

The National Cyber Security Centre describes a cyber incident as a "breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems".

According to the data retail banks made the highest number of reports (486) – almost 60 per cent of the total. This was followed by wholesale financial markets with 115 reports and retail investment firms with 53.

The sectors that reported the least number of cyber incidents were investment management (29) - 4 per cent of the total, followed by pensions and retirement income (35) and general insurance and protection (49).

But RSM thought the actual number of incidents could be even higher.

Steve Snaith, a technology risk assurance partner, said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator.

"It also reflects the increased onus on security and data breach reporting following the General Data Protection Regulation (GDPR) and recent FCA requirements.

"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA."

Number of cyber incidents reported to the FCA broken down by the sector:

Impacted sector

 

2018

 

% of incidents

Retail banking

 

486

 

59%

Wholesale financial markets

 

115

 

14%

Retail investments

 

53

 

6%

Retail lending

 

52

 

6%

General insurance and protection

 

49

 

6%

Pensions and retirement income

 

35

 

4%

Investment management

 

29

 

4%

Total

 

819

 

100%

One fifth (21 per cent) of the cyber incidents were caused by a third party failure, compared with 19 per cent being hardware/software issues and 18 per cent being due to a change in management.

There were also 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20 per cent were ransomware attacks.

In November, the FCA warned of a significant rise in outages and cyber-attacks affecting financial services firms and called on regulated firms to develop greater cyber resilience to prevent attacks.

Mr Snaith said: "While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.

"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff."

He added: "Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. 

"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."