The number of incident reports to the FCA by financial services firms grew by more than 1,000% in 2018, prompting warnings over resilience to cyber-attacks
Equifax settles 2017 data breach case with US regulator
Financial services firms have been warned that “more needs to be done” to shield themselves from cyber-attacks, following a huge increase in the number of incident reports made to the UK financial regulator.
The number of “cyber incidents” conveyed to the Financial Conduct Authority (FCA) last year by finance businesses increased by more than 1,000% on the previous year, according to data acquired by UK-based accountancy network RSM under a freedom of information request.
The data shows the number of reports made to the UK financial watchdog grew from 69 in 2017 to 819 in 2018.
There were also 93 cyber-attacks reported to the FCA in 2018, with more than half of these related to phishing schemes and a fifth being the result of malware.
RSM technology risk assurance partner Steve Snaith said: “While the jump in cyber incidents among financial services firms looks alarming, it’s likely that this is due in part to firms being more proactive in reporting incidents to the regulator.
“However, we suspect that there is still a high level of under-reporting.
“Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.
“As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible.
“While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.”
Financial services have ‘serious vulnerabilities’ in their resilience to cyber-attacks
Retail banks were the main target of nefarious cyber activity during the period, accounting for 486 reports – or 60% of the total number.
More than a fifth of the incidents reported to the UK financial watchdog were attributed to third-party failure – meaning banks and other finance companies should pay close attention to the digital tools they source from outside suppliers, as well as any working partnerships they form.
Mr Snaith said: “The figures underline the importance of organisations obtaining third party assurance of their partners’ cyber controls.
“Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.
“There remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls.
“More needs to be done to embed a cyber-resilient culture and ensure effective incident reporting processes are in place.”
Other leading root causes for the cyber incidents reported to the FCA in 2018 were issues with hardware and software, as well as issues emerging from change management.
Financial services firms should be prepared for ‘inevitable’ data breach from cyber-attacks
Given that third-party failure was identified as the leading cause of cyber incidents reported to the FCA during 2018, a significant degree of scrutiny should of course be directed at the supply chain of technology.
Ross Brewer, EMEA vice-president and managing director for US-based IT security firm LogRhythm, said: “Cyber criminals are invariably after one thing – data.
“The richest and most lucrative stores of data are found in the largest organisations, which include banks and insurers.
“Naturally, due to the complexities of running a multinational financial services firm, these businesses have the broadest and most complex supply chains.
“From third-party suppliers to white label clients, each connection with another business is a potential point of weakness, and it’s something cyber criminals are more than willing to exploit.
“There’s no panacea for ensuring yours, and the networks of your suppliers, remain secure indefinitely.
“It’s a matter of constant diligence and meticulous process. Financial services firms must ensure they trust their suppliers and vet the applications they use.
“For example, organisations can build application whitelists that help to ensure that, during the procurement process, new suppliers’ systems can, within reasonable doubt, be considered secure.
“These are precautionary steps, but in today’s threat landscape it’s almost inevitable that a breach will occur.
“It’s a tough pill to swallow, but financial services firms need to recognise this and, instead, focus on mitigating any damage.”