Britain’s financial industry suffered a 1,000% increase in cyber related events in 2018, including more targeted hack attacks a cyber security specialist has revealed.
Steven Snaith from tax consulting firm RSM used information requests to the Financial Conduct Authority (FCA) to compile a list of ‘declared events’ over the year.
Many of them were brought to light because of new reporting requirements by the General Data Protection Regulations (GDPR) which came into effect across Europe last year.
Firms suffering any kind of data breach are now required to report it to the Information Commissioner’s Office or run the risk of major fines with a maximum penalty of €20 million or 4% of their annual turnover.
Mr Snaith said: “The web-enabled systems underpinning the financial services sector hold huge volumes of personal and financial data, which are incredibly valuable for cyber-criminals.
“One of the problems is that there are lots of freely available cyber-attack tools and knowledge that can be sourced online.
There is currently no legislation that makes possessing or developing these tools illegal and this is exacerbating the problem.”
Three of the growth areas in targeted cyber attacks were malware, ransomware and phishing.
Malware is a program inserted into a target computer by hackers and is designed to disrupt or damage the computer’s operating system or allow the hacker unauthorised access.
Ransomware is a hacking program which literally holds the owner of infected system to ransom by permanently locking them out of the machine unless a ransom is paid to obtain the digital key to unlock the program.
Phishing is the fraudulent practice of sending emails which purport to come from a legitimate source in order to obtain personal and financial details – like passwords or credit card information – from the target.
But the majority of cyber incidents throughout the year did not involve hackers at all.
Most were caused by hardware or software issues, changes in company management or third party failure.
Human error and failure to maintain adequate IT capacity also caused problems.
Mr Snaith commented that he believes there is still ‘a high level of under-reporting’ of incidents, warning: “Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties.
“Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place.”
Megan Butler of the FCA commented: “It is a major concern that a lot of firms still seem to be trying to get the basics right on cyber.
“A third of firms do not perform regular cyber-assessments. Most know where their data is, but describe it as a challenge to maintain that picture.
Nearly half of firms do not upgrade or retire old IT systems in time.
“And only the largest firms have automated their detection systems to spot potential cyber-attacks. Smaller firms are generally relying on old school, manual processes – or no processes at all.”