UK Finance sector reports increase in DDoS-related cyber incidents

Keep up to date with latest blog posts

New Picus Security FOI research analyzes cyber incidents reported to the FCA in the first half of 2022

In July 2022, Picus Security issued a Freedom of Information (FOI) request to the UK Financial Conduct Authority (FCA) to understand the extent to which cybercrime has impacted the finance sector in the first six months of the year.  The request asked the FCA to provide information about the number and type of cyber incident reports it received during this period.

The data obtained from this FOI is compared to that obtained via a previous request by Picus, which analyzed incident reports submitted to the FCA in 2021. The results are summarised in this blog, alongside commentary from Dr Suleyman Ozarslan, Picus Security Co-Founder and VP of Picus Labs.

Key Findings

The latest data obtained from the FCA offers reasons to be optimistic about the operational resilience of organizations in the finance sector. However, the surge of Distributed Denial-of-Service (DDoS) attacks, which have the potential to deny access to critical services, is a cause for concern.

Key findings of our FOI analysis: 

  • The FCA received 55 reports of ‘material’ cyber incidents in the first half of 2022, down 25% from 73 in H1 2021.
  • 64% of reported material cyber incidents in H1 2022 were due to cyber-attacks.
  • 25% of cyber incidents submitted to the FCA in the first half of 2022 involved DDoS, compared to 4% in 2021. 
  • The number of cyber incidents in H1 2022 involving malware and phishing decreased 75% and 50% respectively, compared to the same period in 2021.
  • Cyber incidents involving ransomware decreased 63% in H1 2022 compared to the number reported in H1 2021.


The FCA regulates the activity of more than 50,000 UK financial services firms. If any of these businesses suffer a material cyber incident, they must notify the FCA. A material incident is defined as a cyber incident that:

  • Results in significant loss of data, or the availability or control of its IT system
  • Impacts a large number of victims
  • Results in unauthorized access to, or malicious software present on, its information and communication systems.

FOI Analysis

Fewer Cyber Incidents Reported 

Compared to the same period in 2021, the number of cyber incidents reported to the FCA in the first half of 2022 decreased significantly. In total, the FCA received 55 cyber incident reports in H1 2022, compared to 73 in 2021. 

As per our previous report, the higher number of incidents in H1 2022 (particularly March that year) is likely to be a consequence of attackers exploiting vulnerabilities in Microsoft Exchange server.  The data obtained in relation to H1 2022 is, therefore, more on par with the figures reported in the second half of 2021.

During H1 2022, cyber incidents involving malware and phishing declined 75% and 50% respectively, compared to the same period in 2021. Ransomware incidents reported to the FCA are down 63% in H1 2022 compared to H1 2021. 

“Despite a reduction in the number of reported incidents in the first half of 2022, ransomware still continues to pose a significant risk to organizations,” said Dr. Ozarslan.

“As we’ve seen multiple times in the past are quick to exploit new vulnerabilities, making it vital for financial sector firms to stay proactive and close gaps before they can be exploited.

DDoS Attacks Surge   

A quarter of cyber incidents reported to the FCA in the first half of 2022 involved Distributed Denial-of-Service attacks. This figure is up from 4% in the previous year. In fact, there were more incidents involving DDoS reported to the FCA in March and April 2022 than there were during the whole of 2021.  

This significant increase in DDoS activity is most likely explained by nation-state attackers and hacktivists targeting western nations during the ongoing Russia/Ukraine conflict. Countries like the UK, US and Germany were among the first to implement sanctions against Russia.

“DDoS attacks are a concern for financial institutions, with their ability to disrupt operations and even bring them down entirely,” said Dr. Suleyman Ozarslan, Picus Security Co-founder and President of Picus Labs. “UK financial institutions are in the crossfire of the ongoing war between Russia and Ukraine and have become a direct target for nation-state attackers and hacktivists seeking to disrupt Ukraine’s allies.

Total Number of DDoS Attacks Reported to the FCA

The Threat of Carpet-bombing

Carpet-bombing, a term used to describe a sophisticated type of DDoS attack, has emerged as a popular method of attack among nation-state attackers as well as patriotic hacktivist groups. To-date, carpet-bombing attacks have been primarily used against internet services companies and critical infrastructure providers but the finance sector is now also a target.

“Carpet-bombing attacks are less likely to trigger DDoS detection mechanisms because they generate a smaller amount of traffic per target host,” says  Dr. Ozarslan. “As a result, they can be extremely difficult to mitigate.”

“To reduce the risks, businesses must be able to scrutinize large traffic volumes over time and respond swiftly to anomalies that threaten network availability.”

DDoS as an Extortion Tactic

Although the primary reason behind the uptick in DDoS is highly likely the ongoing war in Ukraine, other factors may also be in play. DDoS attacks are now increasingly used by ransomware gangs to extort money. The proliferation of DDoS for hire websites also makes this form of attack more accessible to less technically sophisticated cybercriminals.

Double extortion methods involve cybercriminal gangs pressuring their targets to pay a ransom by leaking data online, informing customers/the media about the breach, or disrupting operations through the use of DDoS. 

Final Thoughts

“While it’s encouraging that financial firms reported fewer cyber incidents in the first half of 2022 than they did during the equivalent period in 2021 there is no time for complacency,” says Dr. Ozarslan.

“As threats evolve and the war in Ukraine continues, financial institutions must continue to proactively harden their defenses. This includes validating that security controls and processes are effective at defending against the latest risks.” 

Download Picus Security’s latest whitepaper to learn more about how financial firms can validate and continually enhance their cyber readiness.

About Picus Security

At Picus Security, we help organizations to continuously validate, measure and enhance the effectiveness of their security controls so that they can accurately assess cyber risk and strengthen resilience.

As the pioneer of Breach and Attack Simulation (BAS), our Complete Security Control Validation Platform is trusted by security teams worldwide to proactively identify security gaps and deliver actionable insights to address them.


Keep up to date with latest blog posts