FCA reports 52% jump in security incidents

The UK’s Financial Conduct Authority (FCA) has revealed it received 116 cyber incident reports during the course of 2021, approximately 23 of them involving ransomware, up 52% on the 2020 figure of 76.

The disclosure was made in response to a freedom of information (FoI) request made by Picus Security, which said it wanted to gain an up-to-date picture of the operational resilience of the financial services industry, which continues to be an exceptionally attractive target for malicious actors – even though it is, in general, more adept at managing its cyber risk appropriately than the majority of industries.

“Financial services firms are amongst the best prepared and most highly capable organisations at detecting and responding to cyber incidents,” said Suleyman Ozarslan, Picus Security co-founder and vice-president of Picus Labs. “Yet, despite investing heavily in security and data protection, it’s clear that many continue to experience challenges in these areas.

“The large rise in cyber incidents reported to the FCA in 2021 is a concerning trend and should serve as an important reminder to all firms about the need to make ongoing improvements in all areas of security. This is necessary to not only mitigate the risks posed by external threats but also those which arise due to IT failures and human error.”

The FCA, which regulates the activity of more than 50,000 organisations in the UK, mandates that any “material” security incidents must be reported to it. The FCA defines an event as material if it results in significant data loss, causes IT systems to become unavailable or beyond control, affects a large number of customers, or results in unauthorised access to information systems.

Picus found that of the 116 notifiable incidents, 75 were due to cyber attacks, and a third involved the possible compromise of company or personal data. As already noted, a fifth of them involved ransomware.

Ozarslan suggested that the increase may reflect the acceleration in digital transformation within financial services organisations, most notably caused by the widespread adoption of remote working practices during the pandemic, which has thrown previously resilient security postures out of balance – the FCA also revealed that notifiable incidents during 2020 dropped compared to 2019.

On top of this, he said, organisations had to contend with more active and advanced threat groups and ransomware operators, and manage a series of critical vulnerabilities in widely used systems.

One such “mega” vulnerability disclosure made in 2021 – the March disclosure of four critical flaws in Microsoft Exchange Server that were weaponised by China’s Hafnium Advanced Persistent Threat (APT) group, clearly reflects in the FCA’s data, which shows a huge spike in attacks during the spring.

“Defending financial institutions against all the threats they face remains a tough challenge, made even harder by the growing attack surface,” concluded Ozarslan.

“Only by validating security capabilities on a continuous basis can firms hope to measure their threat readiness more accurately and swiftly close the gaps needed to take their operational resilience to the next level.”