The number of cyber incidents reported by financial services companies has skyrocketed, as regulators are told to encourage scenario testing.
Data from the UK’s Financial Conduct Authority (FCA) revealed that the number of reported cyber events jumped from 69 in 2017 to 819 in 2018, an increase of more than 1,000%. Retail banks accounted for almost 60% of reported incidents.
Third-party failures were the biggest cause of cyber incidents (21% of reports), followed by technical faults (19%), and change management (18%). Human error accounted for 6% of incidents.
There were also 93 cyber-attacks (11% of incidents) reported to the FCA in 2018. Of these, just over half were phishing attacks, 20% were ransomware attacks, 16% were from malicious code, and 11% were denial of service attacks.
The increase probably reflects increased reporting requirements for banks and other financial services firms.
Last year the FCA observed that firms were reporting incidents more robustly, although it believed that underreporting was still a problem.
UK financial services firms are required to report material cyber events to the FCA, including events that result in significant loss of data or affect the availability of services.
In addition, the EU’s General Data Protection Regulation (GDPR) requires businesses to identify and report data breaches to relevant regulators within 72 hours.
Financial services regulators have gradually increased their focus on cyber risk in recent years, following a number of IT-related outages and cyber-attacks. In the latest Bank of England (BoE) Systemic Risk Survey, cyber risk was cited as the biggest threat to finance after political risks.
The Future of Finance Review – commissioned by the BoE and published in June – warned that the financial system is under almost constant cyber-attack and that cyber incidents are growing rapidly in number, scope, and sophistication. It recommended that regulators take steps to enhance protection against cyber risks.
In particular, it recommended that regulators increase the frequency of cyber penetration tests and establish an industry “safe harbour” for encrypted customer account data.
Following the Hamilton Series of cyber exercises conducted by the US government in 2017, the US finance industry established Sheltered Harbor, which enables the recovery of customer account information in the event of a cyber incident.
The report suggested that a UK version of Sheltered Harbor would be a “powerful tool” for firms and authorities alike.
The Future of Finance Review also called for better access to cyber insurance, which it says can help firms build resilience and recover from incidents. According to the report, the “economic and commercial case for cyber-insurance is clear”, yet the “majority of losses remain uninsured”.
“Insurance can help businesses recover from the potentially devastating costs of a cyber incident to support and sustain activity and employment in the real economy. Insurance cover can also provide support from specialist insurance risk managers and create incentives to manage risk,” the report said.
In particular, the report recommended that regulators should encourage better information disclosure on cyber threats to help develop the data required for a more effective cyber insurance market.
Increased collation and availability of anonymised data on cyber incidents would be a “tangible step” in developing a deeper insurance market, it said.
Following a number of high-profile service outages and cyber-attacks, financial services regulators have turned their attention to the wider issue of cyber resilience.
Last year, the FCA reported an increase of 187% in technology outages reported to the FCA in the first nine months of the year. Many of these outages were linked to re-platforming and outsourcing failures, while 20% of reported incidents were explicitly linked to weaknesses in change management, it said.
In its recent Financial Stability Report, the Bank of England said it will look at how firms recover from a cyber incident. Its Financial Policy Committee confirmed that it would set “impact tolerances” to clarify how quickly firms must restore vital financial services following a severe, but plausible cyber incident.
It will also measure firms’ ability to meet impact tolerances under regular cyber stress tests – with a pilot stress test being conducted over the summer.