Financial services firms, including those in the general insurance and protection sector, are themselves falling victim to cyber incidents.
According to data obtained by audit and consulting firm RSM, 819 cyber incidents were reported by financial services firms to the Financial Conduct Authority (FCA) in 2018. In the previous year there were only 69.
Of these 819 reported cyber incidents, 486, or 59%, came from retail banks. Also contributing was the sector of wholesale financial markets, with 115 reports or 14%; retail investments, 53 reports or 6%; retail lending, 52 reports or 6%; and general insurance and protection, 49 reports or 6%.
Meanwhile 35 reports (4%) were from the sector of pensions and retirement income, while investment management also made up 4% of the reports at 29.
“While the jump in cyber incidents among financial services firms looks alarming, it’s likely that this is due in part to firms being more proactive in reporting incidents to the regulator,” noted Steve Snaith, a technology risk assurance partner at RSM. “It also reflects the increased onus on security and data breach reporting following the GDPR (General Data Protection Regulation) and recent FCA requirements.
“However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyberattack could expose the firm to sanctions and penalties from the FCA. As the FCA has previously pointed out, eliminating the threat of cyberattacks is all but impossible.”
Data also showed that 21% of the reported incidents were because of third-party failure; 19%, hardware/software issues; and 18%, change management. Cyberattacks were close behind with 11%.
“Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls,” added Snaith. “More needs to be done to embed a cyber-resilient culture and ensure effective incident reporting processes are in place.”