Insights

The Financial Conduct Authority’s response to a recent Freedom of Information request submitted by specialist IT firm Picus Security disclosed that material cyber incidents reported to the FCA in 2021 increased by over 50% on the previous year, with a fifth involving ransomware. In total, the FCA received 116 reports of material cyber security incidents in 2021, up from 76 in 2020.

According to the FCA, an incident may be material if it:

• results in a significant loss of data,
• results in the unavailability of IT systems,
• affects a large number of customers, or
• results in unauthorised access to information systems

The data disclosed revealed that approximately one-third of incident reports contained notifications where the confidentiality of company or personal data may have been compromised or breached.

March 2021 was the busiest month for the FCA, with 21 cyber incidents reported, coinciding with the disclosure of seven critical vulnerabilities in Microsoft Exchange Server.

Additionally, in 2021, the National Cyber Security Centre published information for companies on ransomware which included the following stark warning;

Ransomware attacks can be massively disruptive to organisations, with victims requiring a significant amount of time (and money) to recover critical services and deliver against customer demand. They may also generate high-profile public and media interest, especially if sensitive data stolen during the attack is published. This can expose your organisation to long-term reputational damage. Ransomware attacks are becoming both more frequent and more sophisticated. The NCSC believes that ransomware will remain a major threat to the UK for the next one to two years. Ransomware is a board-level responsibility. All business leaders should ensure it’s on their risk agenda.

On a similar note, a recent report by the US-based Financial Services Information Sharing and Analysis Center (FS-ISAC) warned that the shift to digital banking is making firms vulnerable to ransomware and supply chain attacks and noted a resurgence of banking trojans and distributed denial of service (DDoS) threats.

These reports indicate that firms may need to improve their cyber risk management, whether by putting enhanced processes in place or by purchasing cyber insurance. Cyber and data insurance protects your business against financial loss, disruption or reputational damage resulting from some form of IT systems failure. It also covers you against the rapidly multiplying risks associated with running a digitally connected business in the twenty-first century and with processing third-party data within your IT systems.