Cybersecurity Incidents in
The UK Financial Sector
March 29, 2022
Picus Security report reveals 50%+ increase in cyber incidents reported to the Financial Conduct Authority
Financial services firms continue to be an extremely attractive target for cybercriminals. While on the whole, the sector is aware of the risks it faces and prioritizes security accordingly, the latest techniques that cybercriminals use means that preventing and detecting attacks is increasingly challenging.
To obtain a better picture of the operational resilience of the financial industry in the UK, Picus Security submitted a Freedom of Information (FOI) request to the Financial Conduct Authority (FCA).
The FCA regulates the activity of more than 50,000 financial services firms and mandates that all under its jurisdiction must report ‘material’ cyber security incidents.
Our researchers were interested to learn about the number and type of incident reports the FCA received in 2021 so in January this year, we asked the organization a series of questions. The answers to these questions are analyzed in a summary report and compared against data from other sources.
Key findings of our FOI request
Over 50% more material cyber security incidents were reported to the FCA in 2021 compared to 2020.
Nearly two-thirds of cyber incidents reported in 2021 were due to cyber attacks.
Approximately one-third of incidents contained notifications where the confidentiality of company or personal data may have been compromised or breached.
One in five incidents reported to the FCA in 2021 involved ransomware.
What is a material cyber security incident?
Under Principle 11 of the FCA Handbook, all financial firms must inform the FCA if a material cyber security incident is identified.
According to the FCA, an incident may be material if it:
results in a significant loss of data
results in the unavailability or control of IT systems
affects a large number of customers
results in unauthorized access to information systems
Why more cyber incidents in finance in 2021?
The underlying reason(s) for a 50%+ increase in the total number of cyber incidents reported to the FCA in 2021 compared to 2020 is unclear. What we do know, is that firms in the financial services sector remain a very attractive target and are frequently attacked by Advanced Persistent Threat groups and ransomware operators such as Lazarus and Conti. In 2021, organizations in the sector were also forced to manage the impact of a record number of critical vulnerabilities, such as those in Microsoft Exchange Server and Log4j.
Digital transformation and the widespread adoption of remote working are other possible explanations for the rise in incidents, creating a wider attack surface and new gaps for threat actors to exploit. If these gaps are not swiftly identified and mitigated at both prevention and detection levels, then they can increase the dwell time of attackers and the likelihood of incidents resulting in damage and disruption.
It is worth noting that approximately one-third of cyber incidents reported to the FCA in 2021 were not a direct result of cyber attacks. Most likely, these incidents were caused by system and process failures as well as employee errors.
Read more about key threats and cyber risks facing organizations in 2022
Insights from Picus Labs
“Financial services firms are amongst the best prepared and most highly capable organizations at detecting and responding to cyber incidents,” says Dr Suleyman Ozarslan, Picus Security co-founder and VP of Picus Labs. “Yet, despite investing heavily in security and data protection, it’s clear that many continue to experience challenges in these areas.
“The large rise in cyber incidents reported to the FCA in 2021 is a concerning trend and should serve as an important reminder to all firms about the need to make ongoing improvements in all areas of security. This is necessary to not only mitigate the risks posed by external threats but also those which arise due to IT failures and human error.
“Defending financial institutions against all the threats they face remains a tough challenge, made even harder by the growing attack surface. Only by validating security capabilities on a continuous basis can firms hope to measure their threat readiness more accurately and swiftly close the gaps needed to take their operational resilience to the next level.”
At Picus Security, we help organizations to continuously validate, measure and enhance the effectiveness of their security controls so that they can more accurately assess risks and strengthen cyber resilience.
As the pioneer of Breach and Attack Simulation (BAS), our Complete Security Control Validation Platform is used by security teams worldwide to proactively identify security gaps and obtain actionable insights to address them.