UK audit, tax and consulting firm RSM says that 2018 saw a massive surge in cyber incident reports by financial services firms. In 2018, there were 819 reports to the Financial Conduct Authority (FCA). That’s almost a twelvefold increase over the 69 incidents reported in 2017. The numbers were obtained via a Freedom of Information (FoI) request to the FCA.
Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: “While the jump in cyber incidents among financial services firms looks alarming, it’s likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.
“However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.”
RSM has broken the data down into three areas. The Sector that the firms operate in, root causes and a more detailed look at the types of cyber attacks.
Retail banks top the list of impacted sectors?
The sector most affected by cyber incidents is retail banking accounting for 486 (59%) of incidents. This should come as no surprise given the increase in mobile banking and the constant presence of mobile banking malware.
There is no distinction between consumers and businesses in this category. It would have been more interesting if there were more clarity. For example, how many of the incidents were related to Business Compromise Emails (BEC)? It is a growing area of fraud and one where the banks would like to push the blame back on the victim.
Third-party failure the most likely cause of an incident
RSM says that the most likely cause of a cyber incident is third-party failure (174 – 21%). Given that hardware/software failure (157 – 19%) is a separate category, this seems a little nebulous. It is, for example, a failure in the power grid? Did the network fail as a result of someone digging up a cable? Without some more detailed information, this seems to be a catch-all.
Change management (146 – 18%) is something that has affected all banks. Who can forget the TSB and Nat West debacles over software updates. The number, however, is higher than most corporate businesses would expect. The amount of money banks spend on IT and the strict IT processes they have, also makes this figure a real concern.
As Snaith points out: “Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.”
What were those cyber attacks?
Cyber attacks are put at just 93 of the 819 report incident. That appears to be a very low number given the amount of malware and attacks that are focused on financial systems. It may also be a heavily under reported area. The figures from the FCA show the same number of root causes were classified as TBC and a further 11 were classed as root cause no found.
This is where the limited details provided by RSM get interesting. For example, 48 (52%) were classified as phishing/credential compromise. This perhaps answers the question around BEC that we raised above. But at just 48 reports in 2018 when there is evidence that the number of successful attacks were far higher, once again, we are looking at significant under reporting.
The remainder of the attacks break down to Ransomware (19 – 20%), malicious code (16 -17%) and DDoS (10 – 11%). There is nothing here about insider attacks either malicious or accidental. For there to be no attacks in this category beggars belief.
What is also missing here is data breaches where customer data has been stolen. Banks, like healthcare, are a prime target for this type of attack. This is because much of the data is highly accurate and can be used to facilitate a lot of very targeted attacks.
Enterprise Times: What does this mean
If, as Snaith says, a significant portion of the increased reports is due to greater compliance, not least GDPR, there is something woefully wrong with these numbers. Data theft and privacy breaches do not seem to be identified here and that is a major worry. In addition, the low number of incidents blamed on cyber attacks suggest significant under or deliberate misreporting.
Snaith comments that the financial service sector has been lucky recently. He said: “As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.”
However, luck and dodging attacks is not a viable strategy for cyber security. Snaith makes this point saying: “Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place.”