UK banks failing to disclose all cyber-attacks, says FCA

Financial services regulator underlines need for transparency

The UK’s financial services regulator has accused British banks of under-reporting the number of successful cyber-attacks conducted against them.

Speaking at the ICI Global Conference in London earlier this month, Megan Butler, director of supervision at the Financial Conduct Authority (FCA), said the recent breach announcements from Equifax and Uber sent a “powerful warning” to the financial sector.

“As you might imagine, one important goal of this work is to try and avoid a successful, Uber-style hack on a high street bank, or other financial service firm with lots of retail clients,” Butler said.

“I think it is important to be clear, though, that the cyber risk to capital markets is also large and escalating.”

According to the FCA director, although breach reports from British banks have grown more than ten-fold over the past four years (from five disclosures in 2014 to 49 disclosures in the last 12 months), the figure is still lower than expected, given the fact that the financial sector remains a prime target for hackers.

“Our suspicion is that there’s currently a material under-reporting of successful cyber-attacks in the financial sector,” Butler stated. “Certainly, the number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.”

After noting the “significant upward trend” of ransomware and the emergence of enterprise-grade malware, the director sent a clear warning to financial services firms in relation to their reporting responsibilities.

“We absolutely expect all businesses to deal with us in an open, transparent manner – and this is an expectation that includes reporting of material cyber events,” she said.

“The FCA works closely with the Treasury and Bank of England in our capacity as a first responder to cyber-attacks. It is therefore essential we know about breaches in real time – as much as anything so we can support firms as they respond to an attack.

“I want to make it very clear – especially post-Uber and Equifax – that we expect you to tell us about cyber breaches at your firms as soon as you are aware something is wrong.”