UK financial services companies were hit by 819 cyber-incidents, which were reported to the Financial Conduct Authority in 2018.
A freedom of information (FOI) request made by accountancy firm RSM, outlined that there had been a significant increase from the previous year, with only 69 reported in 2017.
The data highlights that retail banks were hit the hardest and had the highest number of reports (486), almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The majority of reports revealed that the primary cause of the incident was attributed to their-party failure (21%), hardware and software issues (19%) and change management (18%). In addition, the information showed that there were 93 cyber-attacks in 2018 reported to the FCS. Over half of the reports were identified as phishing attacks and 20% as ransomware.
Steve Snaith, a technology risk assurance partner at RSM, stated that the surge is connected to more proactive reporting to the FCA. However, he believes that there are still many more non-disclosed incidents: “We suspect that there is still a high level of under-reporting and failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties.
“As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible,” he added. “While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.”
Metro Bank was the first major retail bank to fall victim to the SS7 exploit in 2019. Hackers were able to intercept an additional layer of security offered by Metro Bank, which asks customers to type in a code sent by text message to their phones to confirm transfers and payments.
- Dating App Calls for Clarity Over New Online Safety Act
- How Can Technology Transform Elderly Care and Support?
- US Expansion on the Horizon for GeckoLabs After £1.8m Investment
Snaith also highlighted that some of the incidents were a consequence of human error and the mismanagement of IT environments: “The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.”
Commenting on cyber incidents, Nigel Hawthorn, data privacy expert at McAfee, said: “Financial institutions must find the right combination of people, process and technology to effectively protect themselves from attacks and human error, detect any threats as soon as they appear and, if targeted, rapidly correct systems.”
Hawthorn said this would mean “redoubling efforts” in training and managing user activities in order to “detect any unusual activity which may signal an attack as well as protecting against accidental errors from staff or partners.”
“With the prospect of damaged customer trust and fines from the FCA or ICO looming as the result of a data breach, the stakes have never been higher,” he added.