New figures from the FCA show that reported data hacking attacks against financial services companies have quadrupled in the last year.
The new statistics, contained in a freedom of information response to audit, tax and consulting firm RSM, show that reported incidents of loss of data resulting from hacking have risen from 4 in 2016 to 17 in 2017. There were also two separate incidents of ‘data leakage’ reported to the FCA.
The figures also show a rise in the number of incidents of financial loss resulting from malware infection. In total, there were four reported cases in 2017, up from just one in the previous year.
The new statistics shed more light on recently announced figures that the overall number of cyber incidents reported to the FCA jumped over 80 per cent from 38 in 2016 to 69 in 2017.
During 2017, the retail banking sector suffered the highest number of reported attacks (17), followed by retail lenders (16) and investment management firms (16). There were a further 11 incidents reported to the FCA by insurance firms.
Steve Snaith, technology risk assurance partner at RSM said: ‘We have previously raised concerns that there is likely to be significant under-reporting of cyber-attacks by regulated financial services firms. Nevertheless, these new numbers do reveal some important trends.
‘The jump in incidents of data loss resulting from hacking attacks should be particularly concerning to the financial services sector, given we are just months away from the new GDPR regime coming into force.
‘GDPR should be one of the most pressing issues for the sector and regulated companies should heed the FCA’s recent warning that firms must improve their cyber resilience. Cyber-attacks are becoming increasingly sophisticated and are constantly evolving and adapting. One of the biggest challenges is trying to ensure that defensive controls keep up.’
On 8 March, RSM will be holding a special cyber security within financial services seminar which will look in more detail about current risks, trends and simple steps to help companies defend themselves from cyber criminals.
Cyber Incidents Reported to the FCA during the years 2015, 2016 and 2017 by Regulated Firms
| Type of attack | 2015 | 2016 | 2017 |
| Denial of Service | 20 | 18 | 16 |
| Hacking – Loss of Data | 0 | 4 | 17 |
| Ransomware | 0 | 4 | 8 |
| Cyber | 0 | 0 | 10 |
| Hacking – Service Disruption | 2 | 3 | 4 |
| Phishing/ Smishing / Vishing | 0 | 1 | 5 |
| MalWare – Financial Loss | 1 | 1 | 4 |
| Unathorised access-CMA | 0 | 2 | 1 |
| Phishing/ Smishing | 0 | 3 | 0 |
| Third Party Failure | 0 | 1 | 1 |
| Data Leakage | 0 | 0 | 2 |
| Social Engineering – Financial Loss | 1 | 0 | 1 |
| Fraud | 0 | 1 | 0 |
| Grand Total | 24 | 38 | 69 |
| Sector | 2015 | 2016 | 2017 |
| Retail banking and payments | 9 | 23 | 17 |
| Retail lending | 1 | 2 | 16 |
| General insurance and protection | 1 | 1 | 11 |
| Pensions and retirement income | 2 | 1 | 2 |
| Retail investments | 0 | 1 | 1 |
| Investment management | 4 | 3 | 16 |
| Wholesale financial markets | 7 | 7 | 6 |
Source: FCA (To note, The FCA logs treat attack campaigns (a series of incidents attributable to the same actor with the same motivation, carried out over a short period of time) as a single incident.
