Huge Jump in Cyber Incidents Reported by Financial Services Firms
New data obtained by RSM under a freedom of information request has revealed that financial services firms reported 819 cyber incidents to the Financial Conduct Authority in 2018, a huge rise on the 69 incidents reported in 2017.
The retail banks were responsible for the highest number of reports (486) – almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).
The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.
According to the new data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks.
Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.
"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.
"As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.
"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.
"Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.
"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."
Fig1: The number of cyber incidents reported to the FCA by regulated firms in 2018 broken down by the sector the incident impacted (source FCA):
Impacted sector | 2018 | % of incidents |
Retail banking | 486 | 59% |
Wholesale financial markets | 115 | 14% |
Retail investments | 53 | 6% |
Retail lending | 52 | 6% |
General insurance and protection | 49 | 6% |
Pensions and retirement income | 35 | 4% |
Investment management | 29 | 4% |
Total | 819 | 100% |
Fig2: The root causes of cyber incidents reported to the FCA (source FCA):
Root cause | 2018 (Jan-Dec) | % of incidents |
3rd party failure | 174 | 21% |
Hardware/software | 157 | 19% |
Change management | 146 | 18% |
Cyber attack | 93 | 11% |
TBC | 93 | 11% |
Human error | 47 | 6% |
Process/control failure | 45 | 5% |
Capacity management | 25 | 3% |
External factors | 17 | 2% |
Theft | 11 | 1% |
Root cause not found | 11 | 1% |
Total | 819 | 100% |
Fig3: The breakdown of incidents in 2018 categorised as 'Cyber attacks' (source FCA):
Cyber attack root cause breakdown | 2018 (Jan-Dec) | % of incidents |
Cyber - Phishing/Credential compromise | 48 | 52% |
Cyber - Ransomware | 19 | 20% |
Cyber - Malicious code | 16 | 17% |
Cyber - DDOS | 10 | 11% |
Total | 93 | 100% |