Cyber attacks in UK finance sector skyrocket, finds FCA

Financial services companies are obvious targets for attackers— but what’s behind the latest rise?
2 July 2019

One of the offices of HSBC Bank in the UK. Source: Wikimedia

In a recent report, The UK’s Financial Conduct Authority (FCA) noted that 819 new cases of cyber attacks in the UK finance sector were reported in 2018, a dramatic increase from only 69 cases the year before.

The statistics by FCA broke down the reports further by classifying them based on the institutions, and it appeared that apart from banks, other financial institutions reported an increase in cyber attacks as well. 

Fifty-nine percent of the complaints came from the retail banking sector, while financial institutions reporting cybersecurity incidents including wholesale financial markets (14 percent), retail investment firms (6 percent), retail lending (6 percent) and insurance companies (6 percent). 

Given the nature of the potentially lucrative private information handled by financial services firms, they are an obvious target for attackers. 

For this reason, the industry has invested heavily in cybercrime security awareness in recent years. As a result, often the most effective entry method is via lost or compromised devices, and insider threats. But that’s not to say malware and hacking don’t also play a role in security breaches. 

Hackers are way ahead

According to Simon Rodway, the lead for pre-sales solution for Entersekt Ireland & UK, cybercriminals employ the latest technology and leverage extensive organizational networks and infrastructure to maximize their impact. 

He also noted that cyber attacks move in waves; where attacks at a region might have appeared in another region before.

At present, cybersecurity professionals focus on present threats or those that they receive alerts to, which may be a contributor to the problem; “This means that fraudsters have a long time to exploit a vulnerability before that hole is closed globally and they have to find another.”

The cybersecurity industry is aware of these trends and they work to provide proper solutions for their end users. 

However, reliance on legacy technology only hold these implementations back longer. “Cost savings and reliance on legacy security measures with known weaknesses, such as SMS OTPs, for example, can cause problems,” Rodway adds.

Internal setbacks

From the statistics, the highest number of cyber attacks in UK finance were attributed to managerial changes, denoting that mismanaging an IT environment provides the room for hackers to do their thing.

One key requirement of the General Data Protection Regulation (GDPR) may help curb this problem. According to Steve Snaith, a Technology Risk Assurance Partner at RSM, “The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.”

The statistics, however, have a bright side. These numbers shown by the report may also indicate diligence by these establishments in reporting such incidents since GDPR was mooted in 2018; it’s likely that this is due in part to firms being more proactive in reporting incidents to the regulator. 

It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements,” added Snaith.

However, Snaith still feels that many cases aren’t being reported. To ensure this doesn’t happen, FCA has put in place a policy that penalizes any firm that fails to report significant attempts of fraud via cyber attacks.

Eradicating the risk of cyber attacks completely is far from possible. The data shared by FCA goes on to show that as the world becomes increasingly connected, newer strategies need to be devised in order to prevent cyber crimes; and the first step is to relook into the strength of the security infrastructure that’s currently in place.