The retail banks were responsible for the highest number of reports (486) – almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.

The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).

The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.

According to the new data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks.

Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.

"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.

"As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.

"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.

"Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.

"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."

Fig1: The number of cyber incidents reported to the FCA by regulated firms in 2018 broken down by the sector the incident impacted (source FCA):

Impacted sector 2018 % of incidents
Retail banking 486 59%
Wholesale financial markets 115 14%
Retail investments 53 6%
Retail lending 52 6%
General insurance and protection 49 6%
Pensions and retirement income 35 4%
Investment management 29 4%
Total 819 100%

 

Fig2: The root causes of cyber incidents reported to the FCA (source FCA):

Root cause 2018 (Jan-Dec) % of incidents
3rd party failure 174 21%
Hardware/software 157 19%
Change management 146 18%
Cyber attack 93 11%
TBC 93 11%
Human error 47 6%
Process/control failure 45 5%
Capacity management 25 3%
External factors 17 2%
Theft 11 1%
Root cause not found 11 1%
Total 819 100%

 

Fig3: The breakdown of incidents in 2018 categorised as 'Cyber attacks' (source FCA):

Cyber attack root cause breakdown  2018 (Jan-Dec) % of incidents
Cyber - Phishing/Credential compromise 48 52%
Cyber - Ransomware 19 20%
Cyber - Malicious code 16 17%
Cyber - DDOS 10 11%
Total 93 100%