FCA calls for ‘candid’ reporting of cyber attacks

30 January 2018

The UK’s financial services regulator has sent a stark warning to banks and financial services firms that it expects prompt reporting of data breaches and other cyber attacks.

According to the Financial Conduct Authority (FCA), the number of ‘material’ cyber attacks reported to the regulator has risen from just five in 2014 to 39 in 2016 and 49 in 2017, a pro-rata 67% increase. In particular, the FCA said it had seen a rise in ransomware attacks, which accounted for 17% of reported cases in 2017.

Despite the increase in incidents reported to the FCA, the regulator believes that there is “a material under reporting” of cyber attacks in the financial services sector. Speaking at the ICI Global Conference in London in December, Megan Butler, FCA Director of Supervision, said that the number of reported breaches was “modest” when set against the number of attacks on the industry.

Ms Butler said that the FCA expects “candour” from regulated firms and they should report data breaches and cyber attacks as soon as they are aware something is wrong. “It is essential we know about breaches in real time – as much as anything so we can support firms as they respond to an attack,” she said.

Separately, the FCA is to require UK banks to make details of cyber security incidents public from August 2018. Under new proposals, providers of personal and business current accounts will have to publish information to help customers compare services from different providers. This will include statistics on how often the firm has had to report major operational and security incidents, including breaches of cyber security and outages.

Download Cyber Newsletter

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com