British banks are failing to report the full extent of cyber-attacks on their infrastructure for fear of punishment and bad publicity, according to a new report.
Cyber security experts and banking executives told Reuters that the banks are taking advantage of a grey area in reporting, with current structures not set up to strictly mandate notification of every incident.
In fact, the Financial Conduct Authority (FCA) to which lenders must report any incident which could have a material impact, claimed last month that there have been just 75 reports so far this year.
That figure is up from the total of 27 in 2015 and five in 2014, but still seems remarkably low given the scale and sophistication of cybercrime today.
"Banks are dramatically under-reporting attacks, they do what's legally required but out of embarrassment or fear of punishment they aren't giving the whole picture,” claimed an unnamed source who works at a cybersecurity firm with banking clients.
Mark James, security specialist at ESET, argued that the UK’s financial institutions suffer cyber-attacks on a daily basis.
“Reporting every one of those attempts would indeed clog systems with lots of unnecessary information and I’m sure there will be a lot that never makes the light of day,” he added.
“However, the problem of course is perceived security, as more and more breaches happen and more malware is being used to target financial systems, then the damage caused when things go wrong can be so great decisions will be made to keep it quiet. However, with the public becoming more aware of the damage caused by lapsed security, this may influence the decision on who is to look after their savings and daily finances in the future.”
Things are set to change on the reporting front with the upcoming EU General Data Protection Regulation (GDPR) instituting a new mandatory breach reporting structure which UK lenders will have to abide by.
Like other organizations, they will be required to notify the local data protection authority within 72-hours of a breach. This will be coupled with the prospect of fines up to €20 million (£18m) or 4% of global annual turnover for serious infractions.