New data obtained by RSM under a freedom of information request has revealed that financial services firms reported 819 cyber incidents to the Financial Conduct Authority (FCA) in 2018, a huge rise on the 69 incidents reported in 2017. The retail banks were responsible for the highest number of reports (486), almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
In this study from RSM looking at Freedom of Information (FoI) data from 2017-2018, UK financial services firms reported 12x more cyber incidents to the Financial Conduct Authority (FCA) https://t.co/MTc6nyER7i
— CISQ (@it_cisq) July 1, 2019
Experts Comments:
Anna Russell, VP at comforte AG:
“It looks as if stricter data privacy regulations like GDPR have resulted in more transparency in terms of how many cyber incidents are taking place. The data is an excellent start to understand the true scope of the issue at hand. The data about the different root causes for 2018 cyber incidents paint a very clear picture: most incidents happen because someone makes a mistake, not because someone is mounting a targeted cyber attack. Furthermore, more than 40% of the incidents are caused by factors that are outside the control of the impacted organization (i.e., 3rdparty failure, hardware/software issue, and other external factors). Based on these numbers, it is obvious that organizations need to implement new ways to protect their data as traditional perimeter defense is not sufficient anymore. Successful financial services organizations these days are taking security approach where the protection travels with the data, no matter if it is in motion, at rest or in use. With such a data-centric approach to security, organizations are pro-actively protecting their data against breaches instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber incidents.”
Chris Miller, Regional Director UK & Ireland at RSA Security:
“Financial services has always been a rich targets for hackers, who are often motivated by money. Now, with more open banking, integrations, and payment services directives, as well as new regulatory requirements, managing digital risk has become even more challenging. Banks today are so digitally driven they could just as easily be described as tech companies. In fact, most money that circulates in the world now is electronic, not paper form. While this shift has created a number of efficiency and security gains, not to mention improvements in customer experience, it also creates new digital risks. However, many organisations are still trying to tackle these risks using old methods, with risk and compliance teams sitting separately from IT and security teams. This is despite the fact the lines between GRC, security and IT are becoming increasingly blurred. To be effective and to stem the tide, digital risks need to be addressed in a holistic way.”
Chris Hodson, EMEA CISO at Tanium:
“The rising number of cyberattacks impacting financial services firms underlines how even the most security conscious and heavily regulated industries can be struck by business disruption through the exploitation of IT vulnerabilities.
“While there’s evidence to suggest that at least some of this uptick is due to businesses getting better at reporting security incidents to the regulator, there’s a trend of computing devices being targeted by criminals to give them access to entire ecosystems. BlueKeep is a recent example of such a wormable threat, designed to exploit the IT infrastructure of companies without foundational security concepts in place.
“That’s why financial services firms must have visibility over all their IT endpoints – laptops, servers, virtual machines, containers, or cloud infrastructure – and maintain basic security hygiene practices, such as ensuring standard secure configurations on all devices, applying patches in a timely manner and improving the speed at which companies identify and respond to attacks.
“Our recent study found that over a quarter (28%) of UK CIOs and CISOs said that departments and business leaders work in silos, leaving them with a lack of visibility and control over IT operations. And this has directly affected the business, with the majority (83%) having found out that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed as a result.
“With the number of attempted cyber-attacks only set to increase as attackers become more and more sophisticated, company-wide visibility and control of digital assets is the only way to truly stop cyber attackers firmly in their tracks and ensure resilience against business disruption across financial services firms.”
Simon Rodway, Pre-sales Solutions Lead UK & Ireland at Entersekt:
“Cybercrime is global and extremely sophisticated in its organisation. Personal data, software, code — it all has a price, packaged for anyone from large syndicates to lone ne’er-do-wells. Like any trend, many of the scams spread across the globe in waves. We see attacks in one region now that popped up in another country years ago. Security is unfortunately very reactive. Security professionals often only focus on the threats they’re currently facing or have been alerted to. This means that fraudsters have a long time to exploit a vulnerability before that hole is closed globally and they have to find another.
“The industry, however, is all too aware of this trend and has been working towards providing suitable solutions for end-users, businesses, and organisations. Unfortunately, organisational inertia is a reality, which often means that implementing solutions like these can take more time than it should. Cost savings and reliance on legacy security measures with known weaknesses, such as SMS OTPs, for example, can also cause problems.
“Nowadays, high-profile cyberattacks often make the headlines. Especially in the financial industry, fraudsters are using increasingly sophisticated attack measures. They not only employ the latest technological innovations, but also make use of extensive organisational networks and structures to maximise impact. This means that prioritising security is becoming more important than ever, for financial institutions especially, and that traditional approaches need to be revisited — not only to keep up with attackers, but with end-users’ concerns and demands, too.”
Nigel Hawthorn, Data Privacy Expert at McAfee:
“Strengthened regulations (FCA and GDPR) combined with greater enforcement has resulted in cyber incident reports from the UK financial services industry increasing by more than 1000% over a year. We may be shocked, but we shouldn’t be. It is widely recognised that cyber incidents were previously underreported. It’s positive to see the industry is now reporting issues so the sector can get the full picture and ensure steps are taken to better protect data and systems against current and emerging threats.
“Financial institutions must find the right combination of people, process and technology to effectively protect themselves from attacks and human error, detect any threats as soon as they appear and, if targeted, rapidly correct systems. This means redoubling efforts in training and managing user activities to quickly detect any unusual activity which may signal an attack as well as protecting against accidental errors from staff or partners. With the prospect of damaged customer trust and fines from the FCA or ICO looming as the result of a data breach, the stakes have never been higher.”
Ed Macnair, CEO at Censornet:
“It’s not especially shocking that reported cyber incidents have increased more than ten-fold in the year since mandatory breach disclosure was introduced by the GDPR. However, what an increased number of disclosures does give us is a much clearer picture of exactly what incidents financial institutions are falling foul to.
“For example, out of the types of successful cyber attack that the finance industry reported in 2018, phishing and credential compromise accounted for more incidents than malware, ransomware, and DDoS put together. While the latter three dominate the headlines, these figures show that it’s the oldest, and simplest tricks that still cause the most headaches for the finance industry. Human error also accounts for more incidents than the “advanced” attacks combined.
“The lesson: even in one of the highest regulated industries, companies would be in a much better position if they could simply get the basics right. They need to cover the main points of weakness, protect their staff, and ensure they don’t have the means or opportunity to put their organisations at risk. We can only hope that mandatory disclosure will spur these companies into action.”
