Governance, Risk & Compliance: GRC
Bumper Surge in Cyber Incidents at UK Financial Services Firms Reported in 2018
New data reveals cybersecurity incidents reported to UK financial regulatory body rocketed in 2018.
The number of cybersecurity incidents reported by UK financial services entities increased nearly 12-fold in 2018 from 2017, data published this week reveals.
The data obtained by accountancy firm RSM under a Freedom of Information (FoI) request showed UK financial services firms reported 819 cyber incidents to the nation’s Financial Conduct Authority (FCA) in 2018, up from just 69 reported incidents in 2017.
The sector most affected by cyber incidents is retail banking accounting for 486 (59 percent) of incidents. Followed by wholesale financial markets with 115 reports and retail investment firms with 53.
When it comes to the root causes of the cyber incident, third-party failure was found to be to blame for 21 percent of reported incidents, followed by hardware and software issues with 19 percent, and change management within the organization – 18 percent.
According to the FoI data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20 percent were ransomware attacks. Malware was cited in 17 percent of cyber attacks reported, while distributed denial of service (DDoS) attacks accounted for 11 percent. Human error and process or control failure accounted for 6 percent and 5 percent of incidents respectively.
RSM said that while the huge jump in the number of cyber incidents looks alarming, it is likely that this is due in part to firms being more proactive in reporting incidents to the regulator. Especially with an increased onus on security and data breach reporting following the General Data Protection Regulation (GDPR).
With GDPR, financial institutions now need to prove that they are meticulous custodians of their customers’ data and cash. Especially as ethical questions around data privacy has gained significant traction since the regulation’s inception; arming consumers with a greater understanding of the value of their personal data and protections that have been made available to them.
The insights we extracted from the data of our recent survey – SAI Global Reputation Trust Index – highlight how important it is for financial institutions to understand how to integrate a robust cyber posture into their business strategies in order to drive customer acquisition and retention.
Notably, the crisis our global respondents were most concerned about is a financial service data breach. Fear of hacking was by far the biggest drawback of future finance given by respondents of our survey, regardless of age. With 65 percent of those we surveyed viewing data privacy as the most important attribute when considering a company’s trustworthiness.
The data released by RSM does prove that the UK financial services industry is now reporting cybersecurity-related issues. Even though the sector is undertaking reviews of their overall compliance strategies to reflect the growing regulatory emphasis on consumer rights and data privacy, there does remain serious vulnerabilities across the sector when it comes to the effectiveness of their cyber controls.
The data evinces that more needs to be done to embed a cyber-resilient culture and ensure effective incident reporting processes are in place. Financial services firms should look across their entire cyber risk posture and actively engage to find the right combination of people, process and technology to protect themselves effectively from attacks and human error, detect any threats as soon as they appear. If they are targeted, then rapidly correct systems. By doing so they can gain a competitive advantage by becoming trusted providers in terms of safety, security, reliability, privacy, and data ethics.