UK banks have been accused by their regulator of hiding the full extent of cyber-attacks.
Megan Butler, director of supervision at the Financial Conduct Authority (FCA), told attendees at the ICI Global Conference in London on Tuesday that the number of “material attacks” reported to the regulator has risen from just five in 2014 to 49 so far this year, a pro-rata 67% increase.
Ransomware in particular is on the up, comprising nearly 17% of those reports.
However, she urged banks to be more honest with their disclosures, claiming the FCA “does not operate a zero failure regime.
“It is imperative you do consider ‘modes of failure’ and that you are honest about them. And I want to make it very clear — especially post-Uber and Equifax — that we expect you to tell us about cyber-breaches at your firms as soon as you are aware something is wrong,” she warned.
“Our suspicion is that there’s currently a material under reporting of successful cyber-attacks in the financial sector. Certainly the number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.”
Butler said the FCA was sympathetic to the need for banks to respond appropriately to each incident, adding: “but we expect to know when you are attacked.
“The FCA works closely with the Treasury and Bank of England in our capacity as a first responder to cyber-attacks. It is therefore essential we know about breaches in real time — as much as anything so we can support firms as they respond to an attack,” she continued.
“If you aren’t sure if you need to tell us about an incident, please tell us anyway. We will let you know if we need to refine reporting requirements.”
The FCA expects all financial institutions to have in place “the essentials of good cybersecurity”, Butler argued.
Keiron Dalton, a digital identity expert and senior director at Aspect Software, urged closer co-operation between financial institutions and the authorities.
“When a bank finds a cyber-attack threat, it may learn and prevent that specific instance of fraud being successful in future, but it doesn’t share information about the incident with the wider financial community so that they can also learn to prevent similar instances,” he argued.
“That needs to change. It should also be imperative for banks to work closely with mobile network operators, as mobile is the main platform of choice for many customers. There needs to be greater synergy, and competitiveness should be put aside for the sake of reducing the financial risk that fraud places on banks’ profitability.”