The number of cyber-attacks against financial services companies reported to the Financial Conduct Authority (FCA) has risen by more than 80 per cent in the last year.
In 2017, 69 material cyber incidents were reported to the FCA, an increase on the 38 in 2016 and 24 in 2015. The figures were revealed by Robin Jones, the FCA’s Head of Technology, Resilience and Cyber in a speech delivered to the PIMFA Financial Crime Conference on 25 January 2018.
Regulated financial services companies are required to report material cyber incidents to the FCA if they:
* lead to a significant loss of data, or the availability or control of IT systems
* affect a large number of customers, or
* result in unauthorised access to, or malicious software present on, the company’s information and communications systems.
Over the last year, the National Cyber Security Centre recorded over 1,100 reported attacks, with 590 regarded as significant. Thirty of these incidents required action by government bodies, a number of which were targeted at financial sector organisations.
Last year a survey by Zurich found that 49% of small-to-medium sized companies had no plans to spend more than £1000 on cyber security. Some 875,000 smaller companies had suffered a cyber attack, with companies based in London being worst affected.
Last June Aviva announced that it was planning to expand its presence in the cyber cover market, while this month Arc Legal has launched its cyber policy for HNW individuals, plus Travelers Europe and Pioneer Underwriters have also boosted its cyber offering early in 2018 – the cyber protection market seems set for big growth this year.
Commenting on the rise in reported attacks, Jan Hameed, a technology risk assurance director at RSM said: ‘This increase in reported attacks reflects a drive for greater accountability with respect to reporting such incidents, as well as the growing frequency of such attacks.
‘However, the overall numbers of reported incidents do appear to be quite low when you consider that ONS statistics suggest there are about 1.9 million incidents of cyber-related fraud each year. This either suggests that financial services firms are exceptionally resilient or failing to detect cyber-attacks. Another possibility could be that some are choosing not to report material attacks in order to avoid any reputational damage. Failure to detect and/or refusing to report incidents is very risky and short-sighted as it is counterproductive to exposing and addressing systemic weaknesses.
‘Regulated companies would do well to heed the warning from the FCA on where firms could improve resilience. Notably, the FCA argues that Boards must assume responsibility for cyber security given the risks to the business, its customers and the wider market. It also advocates for a greater focus on ‘basic hygiene’ – making sure that critical assets including data are identified and that detection of attacks is improved.
‘One of the biggest risks facing financial services companies is complacency. Cyber-attacks will actively adapt to defensive controls. As the FCA highlights, individuals and criminal groups are developing tools and exploiting vulnerabilities on an industrial scale. Financial services firms need to ensure they always stay one step ahead.’