Cyber incidents reported to the FCA up over 50% according to Picus Security FOI analysis

116 cyber incident reports received by the Financial Conduct Authority in 2021, a fifth involving ransomware

London, UK, 29 March 2022Picus Security, the pioneer of Breach and Attack Simulation (BAS), today released a report revealing a large rise in cyber incidents reported to the UK’s Financial Conduct Authority (FCA). 

The report, based on FCA data obtained via a Freedom of Information (FOI) request, reveals that:

  • The FCA received 116 reports of material cyber security incidents in 2021, up from 76 in 2020 (an increase of 52%).
  • 65% of cyber incidents reported in 2021 (75) were due to cyber-attacks.
  • Approximately one third of incident reports (37) contained notifications where the confidentiality of company or personal data may have been compromised or breached.
  • One in five incidents reported to the FCA in 2021 involved ransomware.
  • 21 cyber incidents were reported to the FCA in March 2021 – the most submitted in any month that year and coinciding with the disclosure of critical vulnerabilities in Microsoft Exchange Server.

“Financial services firms are amongst the best prepared and most highly capable organisations at detecting and responding to cyber incidents,” says Dr Suleyman Ozarslan, Picus Security co-founder and VP of Picus Labs. “Yet, despite investing heavily in security and data protection, it’s clear that many continue to experience challenges in these areas.

“The large rise in cyber incidents reported to the FCA in 2021 is a concerning trend and should serve as an important reminder to all firms about the need to make ongoing improvements in all areas of security. This is necessary to not only mitigate the risks posed by external threats but also those which arise due to IT failures and human error.”

Digital transformation in the financial services sector, including widespread adoption of remote working, means that many firms over the last few years have had to adjust their security and data protection practices. On top of this, they have had to contend with being a target of Advanced Persistent Threats groups and ransomware operators, as well as manage the risks of critical vulnerabilities in widely used systems such as Microsoft Exchange Server.

“Defending financial institutions against all the threats they face remains a tough challenge, made even harder by the growing attack surface,” Ozarslan added. “Only by validating security capabilities on a continuous basis can firms hope to measure their threat readiness more accurately and swiftly close the gaps needed to take their operational resilience to the next level.”

Notes for editors

The UK’s Financial Conduct Authority (FCA) regulates the activity of more than 50,000 financial services firms. If any of these firms suffer a material cyber incident, they must notify the FCA. 

According to the FCA, an incident may be material if it:

  • results in a significant loss of data
  • results in the unavailability or control of IT systems
  • affects a large number of customers
  • results in unauthorized access to information systems

In January 2022, Picus Security submitted a Freedom of Information (FoI) request to the FCA to understand the degree to which cyber incidents impacted the UK finance sector in 2021 and compared the data against similar information previously disclosed by the organization.

Read full report for more information.

About Picus Security

Picus Security is the pioneer of Breach and Attack Simulation (BAS). The Picus Complete Security Control Validation Platform is trusted by leading organizations worldwide to continuously validate the effectiveness of security controls against cyber-attacks and supply actionable mitigation insights to optimize them.

Picus has offices in North America, Europe and APAC and is supported by a global network of channel and alliance partners.

The company is dedicated to helping security professionals become more threat-centric and via its Purple Academy offers free online training to share the latest offensive and defensive cybersecurity strategies.

For more information, visit

Media contact
Mike Marquiss