The dangers have gotten worse with the Financial Conduct Authority (FCA) receiving 116 reports of material cybersecurity incidents in 2021, up from 76 in 2020.
According to data obtained via a Freedom of Information (FOI) request by Picus Security, 65% of cyber incidents reported in 2021 (75) were due to cyber attacks.
Approximately one third of incident reports (37) contained notifications where the confidentiality of company or personal data may have been compromised or breached.
Analysis by Picus shows that one in five incidents reported to the FCA in 2021 involved ransomware.
In addition, 21 cyber incidents were reported to the FCA in March 2021 – the most submitted in any month that year and coinciding with the disclosure of critical vulnerabilities in Microsoft Exchange Server.
“Financial services firms are amongst the best prepared and most highly capable organisations at detecting and responding to cyber incidents,” says Dr Suleyman Ozarslan, Picus Security Co-Founder and VP of Picus Labs. “Yet, despite investing heavily in security and data protection, it’s clear that many continue to experience challenges in these areas.
The FCA regulates the activity of more than 50,000 financial services firms. If any of these firms suffer a material cyber incident, they must notify the FCA.
According to the FCA, an incident may be material if it results in a significant loss of data, results in the unavailability or control of IT systems, affects a large number of customers or results in unauthorised access to information systems.
Picus points out that digital revamps in the financial services sector, including the adoption of remote working, means that many firms over the last few years have had to adjust their security and data protection practices.
Such companies also have had to contend with being a target of advanced persistent threats groups and ransomware operators.
Picus has offices in North America, Europe and APAC. It is headquartered in California.
It’s not the first time an FOI has produced some worrisome news.
In December, questions around data security arose with revelations that the Bank of England lost 161 electronic devices between September 2018 and August 2021.
The data was obtained by the London-based think tank Parliament Street. A total of 25 devices were lost or stolen in 2021 alone.