Cyber Attacks On The British Financial Sector Increasing Fast
The UK Financial Conduct Authority (FCA) has published a cyber and technology resilience report for 2018 and there has been a large increase in cyber-attacks. The FCA surveyed 296 firms during 2017-18 to review their cyber and technology capabilities and defences and the UK government has announced that it will be spending £1.5 billion over the next five years on UK cyber security.
The FCA has reported a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.
The retail banks were responsible for the highest number of reports (486), almost 60 per cent of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The root causes for the incidents were attributed to third party failure (21 per cent of reports), hardware/software issues (19 per cent) and change management (18 per cent). On the basis of the data that the FCA is currently collecting, we see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services.
In the year 2018 to October, firms reported a 187% increase in technology outages to the FCA, with 18% of all the incidents reported to us cyber-related.
The increase in incidents reported to the FCA doesn’t present a one dimensional picture of a surge in cyber-attacks and outages. Firms are reporting incidents more robustly. Albeit we strongly suspect that under-reporting is still a problem.
The FCA does not expect ‘zero-failure’. A point that is explicitly made in July’s FCA, Bank of England discussion paper on operational resilience. In that we talk about setting ‘impact tolerances’ and the ability of firms to ‘recover and learn from operational disruptions’.
The true test of the resilience of UK finance is not the absence of incidents. It’s how well incidents are managed. So from the FCA perspective, the really important questions are along the following lines. Are firms operating strong lines of defence? Are firms resolving issues swiftly? Are firms responding to emerging threats? Are firms managing third parties effectively?
There are fundamental questions about what happens when it goes wrong. Especially in industries, like finance, that have hallmarks of utility services.
According to RSM, a provider of audit, tax and consulting services, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20 per cent were ransomware attacks. Commenting on the figures, Steve Snaith a partner at RSM said:
'While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.
'Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place.’
You Might Also Read:
Security Flaw Puts UK Bank Customers At Risk:
A Cyber Attack Could Spark A Run On Banks: