Financial services companies in the UK saw a fivefold rise in data breaches in 2018 compared with the year before, according to the Financial Conduct Authority, in the latest sign of how the sector is under relentless attack from hackers. Companies reported 145 breaches to the FCA last year, up from 25 in 2017, with investment banks reporting the highest number of incidents at 34, up from just three the previous year. Retail banks saw the sharpest rise in percentage terms, from 1 to 25. The data were obtained through a freedom of information request by the law firm RPC. Last April, it emerged that seven UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank, had to limit or shut down their systems after sustained attacks that cost them hundreds of thousands of pounds to remedy. In October, Tesco Bank was fined £16.4m by the FCA as a result of a cyber attack in 2016 that saw £2.26m stolen from current accounts across 34 transactions. Last year’s jump in reported attacks can partly be explained by the introduction of the EU’s General Data Protection Regulation last May, which requires businesses to identify and report cyber attacks within 72 hours or face penalties. But executives at leading banks and payments companies said they were now under almost constant fire from attackers. A chief information officer at one UK bank said: “We are seeing a lot more threat actors knocking at the front door . . . it ranges from individual kids to, increasingly, the criminal fraternity and national states. You have to constantly improve to keep up and protect yourself.” A senior figure at another high-street bank said a serious incident was the “biggest fear” for boards because it was harder to prepare for than traditional challenges. “If you think an economic downturn is coming you can load up on capital, if you think a bank run is coming you can load up on liquidity, you can’t do that here.”
Financial institutions are sometimes direct targets because of the sensitivity of the data they hold, but are also hit by criminals who will exploit any institution for tasks such as generating cryptocurrency or diverting traffic. Perpetrators are rarely caught because they tend to work remotely, often from countries where it is harder to prosecute cybercriminals. “We know that the number of cybercriminals prosecuted under the Computer Misuse Act is below 100 annually. When you compare that to the number of cyber crimes being reported across all industries, you can see that it’s a very lucrative criminal enterprise,” said Richard Breavington, partner at RPC and head of its cyber insurance and breach response team. “[Companies] have done intensive training and made response plans that weren’t there before. GDPR has certainly influenced the reporting of breaches,” he added. This was reflected in the FCA data: in June 2018, the first month after the introduction of GDPR, the authority saw the highest monthly total of data breach reports, with 20 incidents reported by financial services companies. According to FCA rules, banks must report any “material” cyber incident. A data breach could include targeted cyber attacks or accidents such as sending an email containing customer data to the wrong address. Problems are considered “material” if they lead to a significant loss of data or availability of systems, affect a large number of customers, or give any unauthorised access to their systems.
To read the original article: