Big increase in cyber incidents at financial services firms
There has been a sharp spike in the number of cyber incidents reported by financial services firms, with 819 cases logged with the Financial Conduct Authority (FCA) in 2018, up from 69 the previous year, according to analysis from RSM
2 Jul 2019
The firm says its freedom of information request revealed that retail banks were responsible for the highest number of reports (486), or over half (59%) of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).
The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.
According to the data obtained by RSM, there were 93 cyber-attacks reported in 2018, representing 11% of the total incidents. Over half of these were phishing attacks, while 20% were ransomware attacks.
Steve Snaith, a technology risk assurance partner at RSM, said: ‘'While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.
'However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.’
Snaith said the findings underline the importance of organisations obtaining third party assurance of their partners' cyber controls, while the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.
'Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for privacy impact assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.
'Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place,' he said.
By Pat Sweet