Financial Firms Report Puzzling 30% Drop in Breaches as Incidents Rise

Written by

Data breach incidents reported to the UK’s financial regulator dropped by nearly a third from 2019 to 2020, although experts claim this is far from an accurate picture of the current threat landscape.

Governance and risk firm Kroll requested Freedom of Information (FoI) data from the Financial Conduct Authority (FCA) to better understand the level of cyber-breach activity in the sector.

However, the data received, a 30% year-on-year drop in reported breaches to just 76 in 2020, was at odds with its own figures. These showed a 56% average increase in incidents over the same time period across all sectors — with the financial services sector slightly higher still.

Given the pandemic has provided even more opportunities for threat actors to target organizations distracted by remote working, the figures are doubly puzzling.

Kroll argued that the disparity could be explained by more organizations pulling back, after an initial period of over-reporting following the introduction of the GDPR.

In many cases, legal counsel is recommending firms not to notify if they think reporting thresholds around whether data subjects were “harmed” are not met, it said.

“The GDPR is still a relatively new and complex piece of legislation and we certainly saw businesses being hyper-vigilant when it came to reporting to the ICO and the FCA in its initial stages of implementation,” explained Keily Blair, head of Orrick, Herrington & Sutcliffe’s UK Cyber, Privacy and Data Innovation team.

“The drop in the FCA numbers likely reflects that organizations are becoming more adept at assessing whether an incident truly meets the necessary thresholds to trigger a report to the FCA.”

She argued that the FCA’s official figures are likely to represent the tip of the iceberg in terms of security breaches at financial services firms.

“The worry is that by seeing these figures, without the benefit of knowing what is happening below the surface, organizations may misinterpret the true nature and extent of the cybersecurity threat leading to complacency and greater risk," she warned.

Across Europe and across all sectors, year-on-year breach notifications increased by 19% in 2020, according to DLA Piper.

What’s hot on Infosecurity Magazine?