Financial service firms across the UK reported nearly 1000 cyber incidents to the region's Financial Conduct Authority in 2018, a significant jump from the year prior.
According to a Freedom of Information (FOI) request made by RSM, an international accountancy firm based in London, 819 cyber incidents were reported by financial services firms there last year. That’s a marked increase from 2017 when only 69 incidents were reported to the regulator.
While it operates independent of the UK Government, the Financial Conduct Authority oversees the conduct of 58,000 financial services firms and is the prudential regulator for over 18,000 of them; the service sustains by charging fees to members of the financial services industry.
Retail banks were the biggest victims of incidents according to RSM, with 486, more than half of the total, incidents. Wholesale financial markets, retail investments, retail lending, general insurance and protection, pensions and retirement income, and investment management outfits were responsible for the remaining incidents.
Not every incident was classified as a cyber-attack by the regulator; some were blamed on third party failure, hardware and software issues, human error, and process/control failure.
Of the incidents branded as a cyber-attack, perhaps unsurprisingly many were linked to phishing or credential compromises. Other attacks were triggered either by ransomware, what the regulator categorizes as malicious code, and distributed denial of service attacks.
The root causes of cyber incidents reported to the FCA
| Root cause | Number | Percentage |
| Third-party failure | 174 | 21% |
| Hardware or software | 157 | 19% |
| Change management | 146 | 18% |
| Cyber attack | 93 | 11% |
| TBC | 93 | 11% |
| Human error | 47 | 6% |
| Process or control failure | 45 | 5% |
| Capacity management | 25 | 3% |
| External factors | 17 | 2% |
| Theft | 11 | 1% |
| Root cause not found | 11 | 1% |
| Total |
819 |
|
It's possible that the numbers reflect an increased scrutiny in security and data breach reporting following last year's implementation of the General Data Protection Regulation.
The FCA not too long ago implemented its own requirements around data breach disclosure:
According to the FCA's SUP 15.3.1 general notification requirements, “A firm must notify the FCA immediately it becomes aware, or has information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future:
- The firm failing to satisfy one or more of the threshold conditions; or
- Any matter which could have a significant adverse impact on the firm's reputation; or
- Any matter which could affect the firm's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or
- Any matter in respect of the firm which could result in serious financial consequences to the UK financial system or to other firms.
