Financial services reported a total of 819 cyber incidents to the Financial Conduct Authority (FCA) in 2018, out of which 93 were classified as cyber attacks, 174 occurred due to third-party failure, and 157 occurred due to hardware or software issues.
The number of cyber incidents reported by financial firms to the FCA witnessed a huge jump in 2018 compared to the period between March 2013 and May 2017 when the authority was made aware of only two instances of data breach by financial advisers and pension providers, nine breaches suffered by insurance firms and 15 breaches suffered by lenders.
The huge jump in cyber incident reporting by financial firms could be attributed to the FCA introducing new rules to make it mandatory for banks to inform customers about operational and security incidents so that customers are better informed while choosing accounts that suit their needs.
The new rules will apply to ‘firms that accept deposits (banks and building societies) and provide payment accounts as defined by the Payment Accounts Regulations (typically PCAs) or BCAs that have the features of a payment account’, said the FCA.
Third-party failure & hardware/software issues main reasons behind cyber incidents
Information obtained by RSM via a Freedom of Information request has revealed that financial services in the UK reported a total of 819 cyber incidents in 2018 out of which 93 were classified as cyber attacks, 174 occurred due to third-party failure, and 157 occurred due to hardware or software issues.
Of the 819 cyber incidents reported to the FCA, 47 also occurred due to human error, 146 occurred due to change management issues, 45 occurred due to process/control failures, 11 due to theft of data, and 25 occurred due to capacity management.
Out of the 93 cyber attacks reported to FCA, 48 were phishing or credential compromise attacks, 19 were ransomware attacks, 16 were malicious code injection attacks, and the remaining ten were DDoS attacks that cripple IT networks and cause huge downtime.
The number of cyber incidents that occurred due to failures in change management, third-party management, human errors, and process failures gives credence to the FCA’s warning that cyber weaknesses of financial services are more pronounced in areas such as third-party management, protecting key assets, identifying and managing high-risk staff, and educating employees with access to critical systems or sensitive data.
According to the FCA, a large number of organisations are struggling in areas such as identification of key assets, services and people, including those provided by third parties, sharing information and detection of attacks.
The inability of firms in identifying key assets and data, maintaining a view of their third parties, and managing end-of-life assets is directly impacting their ability to secure such assets from cyber-attacks or to respond appropriately to the loss of such assets to unauthorised parties.
At the same time, the lack of monitoring of hardware and software assets that are nearing end-of-life by organisations result in technology outages, their vulnerability to cyber-attacks and higher risks for organisations.
Retail banking firms suffered 58% of all cyber incidents: FCA
Information obtained by RSM also revealed that 59 percent (486) of all reported cyber incidents affected firms in the retail banking sector while firm in retail investments and retail lending sectors suffered 53 and 52 cyber incidents respectively.
At the same time, pension firms suffered 35 cyber incidents, investment management firms suffered 29, general insurance and protection firms suffered 49, and wholesale financial markets suffered 115 cyber incidents in 2018.
“Financial services have always been rich targets for hackers, who are often motivated by money. Now, with more open banking, integrations, and payment services directives, as well as new regulatory requirements, managing digital risk has become even more challenging,” says Chris Miller, Regional Director UK & Ireland at RSA Security.
“Banks today are so digitally driven they could just as easily be described as tech companies. In fact, most money that circulates in the world now is electronic, not paper form. While this shift has created a number of efficiency and security gains, not to mention improvements in customer experience, it also creates new digital risks.
“However, many organisations are still trying to tackle these risks using old methods, with risk and compliance teams sitting separately from IT and security teams. This is despite the fact the lines between GRC, security and IT are becoming increasingly blurred. To be effective and to stem the tide, digital risks need to be addressed in a holistic way,” he adds.
Commenting on the rise in the number of cyber incidents reported to FCA by financial services, Anna Russell, VP at comforte AG said that it looks as if stricter data privacy regulations like GDPR have resulted in more transparency in terms of how many cyber incidents are taking place.
“The data about the different root causes for 2018 cyber incidents paint a very clear picture: most incidents happen because someone makes a mistake, not because someone is mounting a targeted cyber attack. Furthermore, more than 40% of the incidents are caused by factors that are outside the control of the impacted organisation (i.e., 3rd party failure, hardware/software issue, and other external factors).
“Based on these numbers, it is obvious that organisations need to implement new ways to protect their data as traditional perimeter defense is not sufficient anymore. Successful financial services organisations these days are taking security approach where the protection travels with the data, no matter if it is in motion, at rest or in use.
“With such a data-centric approach to security, organisations are pro-actively protecting their data against breaches instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber incidents,” she added.