Financial services companies in the UK were hit by 819 cyber-incidents, which were reported to the Financial Conduct Authority in 2018. According to a freedom of information (FOI) request made by accountancy firm RSM, the data showed that there had been a huge rise from the previous year, with 69 reported in 2017.
Retail banks were hit the hardest and had the highest number of reports (486), which is almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The majority of reports found that the root causes of the incidents were attributed to third-party failure (21%). Hardware and software issues followed (19%) and change management (18%). The information also shows that there were 93 cyber-attacks in 2018 reported to the FCA, with over half of them identified as phishing attacks, and 20% ransomware.
Steve Snaith, a technology risk assurance partner at RSM, believed that this surge is probably linked to more proactive reporting to the FCA, but worries that there are still many more non-disclosed incidents: “We suspect that there is still a high level of under-reporting and failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties.
“As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible,” he continued. “While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.”
In 2019, Metro Bank became the first major retail bank to fall victim to the SS7 exploit, which showed momentum continued into the next year. Hackers were able to intercept an additional layer of security offered by Metro Bank, which asks customers to type in a code sent by text message to their phones to confirm transfers and payments.
Snaith also pointed out that some of the incidents were down to human error or IT environments being mismanaged: “The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.”
Nigel Hawthorn, data privacy expert at McAfee, commented: “Financial institutions must find the right combination of people, process and technology to effectively protect themselves from attacks and human error, detect any threats as soon as they appear and, if targeted, rapidly correct systems. This means redoubling efforts in training and managing user activities to quickly detect any unusual activity which may signal an attack as well as protecting against accidental errors from staff or partners. With the prospect of damaged customer trust and fines from the FCA or ICO looming as the result of a data breach, the stakes have never been higher.”