The BBC reports that official figures show a sharp increase in the number of cyber incidents reported by the UK's Financial sector. A Freedom of Information request to the FCA revealed that the number of declared events rose by over 1,000% from 69 in 2017 to 819 in 2018.
The increase is likely to be driven in part by the introduction of the GDPR, says that all organisations have to report certain types of security breaches, but RSM – the tax and consulting firm that made the FoI request – said it also reflected the increasing number of attacks on the industry.
“The web-enabled systems underpinning the financial services sector hold huge volumes of personal and financial data, which are incredibly valuable for cyber-criminals,” Steven Snaith – the firm’s cyber-security specialist, told the BBC.
“One of the problems is that there are lots of freely available cyber-attack tools and knowledge that can be sourced online. There is currently no legislation that makes possessing or developing these tools illegal and this is exacerbating the problem.”
It’s not possible to provide a like for like comparison for each type of incident as the FCA changed its categories between 2017 and 2018, but the regulator did share the following figures, including early data for 2019.
|Root cause||Occurrences Jan-Dec 2018||Occurrences in Jan-May 2019|
|Hardware & software issues||157||64|
|Attack – DDoS||10||2|
|Attack – Malware||16||5|
|Attack – Ransomware||19||0|
|Cyber-attack – Phishing/other compromise||48||29|
|To be confirmed||93||82|
|Failure to manage IT||25||4|
A spokesperson for the FCA referred the BBC to a speech given by their executive director of supervision last November. Megan Butler said:
“It is a major concern that a lot of firms still seem to be trying to get the basics right on cyber,”
“A third of firms do not perform regular cyber-assessments. Most know where their data is, but describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time.”
“And only the largest firms have automated their detection systems to spot potential cyber-attacks. Smaller firms are generally relying on old school, manual processes – or no processes at all.”
Back to News