The FCA has expressed the belief that UK banks are not alerting them to all successful cyberattacks, with the financial services industry known to be among the most relentlessly bombarded.
Although the regulator has issued the warning that all cyberattacks must be reported, there has been a significant increase in reports in recent years. In 2016 49 reports were made to the FCA, dwarfing the incomparable five reports from 2014.
It is not just because of heightened honesty that reports are up, with attack volumes soaring across the board in the past year and the year before. The FCA has said that ransomware plays a key role in this, with it accounting for 17 per cent of the reported attacks.
In a speech, Megan Butler, the Financial Conduct Authority’s director of supervision, said: “Our suspicion is that there’s currently a material under-reporting of successful cyber attacks… The number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry… And I want to make it very clear – especially post-Uber and Equifax – that we expect you to tell us about cyber breaches at your firms as soon as you are aware something is wrong.”
The importance of reporting all cyberattacks in a timely fashion is set to grow exponentially with the arrival of GDPR; the General Data Protection Regulation issued by the EU is set to come into effect in less than 170 days.
Failure to achieve GDPR compliance could result in a crippling fine, and one of the prime requirements for compliance is that organisations quickly bring all successful cyberattacks to the attention of the public.
Throughout 2017, major data breaches have grabbed headlines globally, further increasing awareness and applying pressure to large organisations to get to grips with security. Banks in particular should be focussed on achieving rigid security, with another EU directive, PSD2, also pushing banks to bolster security.