Over 800 cyber incidents reported to FCA by financial firms last year

According to new data obtained via a freedom of information request, financial services firms reported 819 cyber incidents to the Financial Conduct Authority (FCA) during 2018.

The figures show a substantial rise compared to the 69 incidents which were reported in 2017.

The retail banking sector was responsible for the highest number of incidents with 486, just under 60 per cent of the total. This was followed by wholesale financial markets with 115 reported incidents and retail investments with 53 incidents.

They were followed by retail lending (52), insurance and protection (49), pensions and retirement (35) and lastly investment management with 29 reported incidents.

Despite the sharp increase in the number of incidents, experts believe that it is partly due to firms being more proactive regarding reporting incidents to the regulator, as well as an increased focus on security and data breach reporting following the GDPR and recent FCA requirements.

It is also thought that there is still a high level of under-reporting, despite the fact that failure to report an incident to the FCA could lead to sanctions and penalties.

The data revealed that there were 93 cyber-attacks reported to the FCA during 2018. Over half of these (52 per cent) were phishing attacks, while 20 per cent were associated with ransomware, 17 per cent due to malicious code and 11 per cent because of DD0S.

The main root causes of the cyber incident reports were found to have been due to third-party failure (21 per cent), issues with hardware/software (19 per cent) and change management (18 per cent).

Human error accounted for 6 per cent of the incidents and theft was responsible for only 1 per cent.

There are now calls within the industry for more to be done to embed a cyber-resilient culture and ensure effective incident reporting processes are in place to limit the number of reports.