The number of cyber incidents reported by financial services firms increased nearly 12-fold in 2018 from 2017, mainly due to third-party failures, highlighting several key areas that need improvement.
Financial services firms reported 819 cyber incidents to the Financial Conduct Authority (FCA) in 2018, up from just 69 incidents in 2017, according to data obtained under the Freedom of Information Act by audit, tax and consulting firm RSM.
Retail banks were responsible for the greatest number of reports (486), accounting for almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The incidents were attributed mainly to third party failure (21%), hardware and software issues (19%) and change management (18%), with cyber attacks cited in only 11% of cases. Human error and process or control failure accounted for 6% and 5% of incidents respectively.
The FCA has recently warned of a significant rise in service outages and cyber attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.
According to the FoI data obtained by RSM, there were 93 cyber attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks. Malware was cited in 17% of cyber attacks reported, while distributed denial of service (DDoS) attacks accounted for 11%.
Steve Snaith, a technology risk assurance partner at RSM said that while the huge jump in the number cyber incidents looks alarming, it is likely that this is due in part to firms being more proactive in reporting incidents to the regulator.
“It also reflects the increased onus on security and data breach reporting following the full implementation of the GDPR [EU General Data Protection Regulation] and recent FCA requirements.
“However, we suspect that there is still a high level of under-reporting. Failure to report immediately to the FCA a significant attempted fraud against a firm via cyber attack could expose the firm to sanctions and penalties from the FCA,” he said.
As the FCA has previously pointed out, Snaith said eliminating the threat of cyber attacks is all but impossible.
“While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber attacks that it faces,” he said.
The figures also underline the importance of organisations obtaining third party assurance of their partners’ cyber controls, said Snaith. “Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.
“Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR [and the GDPR-aligned UK Data Protection Act] DPA2018 should hopefully drive a greater level of governance in this area,” he said.
Overall, Snaith said there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. “More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place,” he said.
UK law enforcement is also calling for improvements in cyber crime reporting. “It is crucial that businesses report cyber crime to us because every incident is an investigative opportunity,” Rob Jones, director of threat leadership at the UK National Crime Agency (NCA) told Computer Weekly.
“Failure to report creates an unpoliced space and a situation where incident response companies just sweep up the glass, but don’t deal with the underlying issue, which emboldens criminals,” he said. “As a result, the problem will continue and prevalence, severity and sophistication of attacks will increase.”
Nigel Hawthorn, data privacy expert at security firm McAfee said that it is widely recognised that cyber incidents were previously under-reported. “It’s positive to see the [financial services] industry is now reporting issues so the sector can get the full picture and ensure steps are taken to better protect data and systems against current and emerging threats.
“Financial institutions must find the right combination of people, process and technology to protect themselves effectively from attacks and human error, detect any threats as soon as they appear and, if targeted, rapidly correct systems.
“This means redoubling efforts in training and managing user activities to quickly detect any unusual activity which may signal an attack as well as protecting against accidental errors from staff or partners. With the prospect of damaged customer trust and fines from the FCA or ICO [Information Commissioner’s Office] looming as the result of a data breach, the stakes have never been higher.”
This article originally appeared on ComputerWeekly.