Clifford Chance

New data released by the FCA reveals significant insights into the number of cyber incidents that have been reported to them and the number of investigations they have consequently opened

In response to a recent Freedom of Information Act request submitted by Clifford Chance, the FCA provided details of the number of cyber-incident notifications it has received in 2019 and from January to 17 June 2020.  The FCA categorises these notifications by Sector and Root Cause, the breakdowns of both can be found below.

The FCA has also revealed the number of enforcement investigations into cyber incidents it opened for the years 2018, 2019 and 2020 (until 17 June).  Interestingly, although the FCA received 819 and 835 notifications respectively in 2018 and 2019, in response to these notifications, it only opened one investigation in 2018 and four investigations in 2019.  Through 17 June 2020, the FCA had received 323 notifications but has not yet opened any enforcement investigations. The FCA has also confirmed that they currently have four open investigations.

In contrast, the ICO has disclosed that it received 1,102 cyber incident notifications from the "Finance, insurance and credit" sector during 2019, and received over 12,000 notifications overall during that year.

The data also reveal trends in both the number of cyber incidents reported to the FCA and their root causes.  Whilst the total number of reports increased incrementally from 2018 to 2019, the data from 2020 indicates a slight dip in the trend.  This is surprising given the documented increase in cyber attacks directed at exploiting the massive shift to working from home caused by the coronavirus lockdown.  (For more information on the increased threat of cyber-attacks associated with the lockdown, see our article here.)

In all three years, the majority of notifications have been centralised in the Retail Banking sector and the primary causes have been consistently classed as Hardware/Software Issues, Change Management, and Third Party Failures.  As these root causes demonstrate, reporting obligations to the FCA extend beyond the requirements of the GDPR. Whilst in enforcing the GDPR, the ICO focusses on the protection of personal data, the FCA's purview expands to cyber incidents that may impact the ability of regulated entities to provide uninterrupted services to their clients.  Specifically, the FCA's states that under Principle 11 of the FCA handbook, material cyber-incidents should be reported, and elaborates that an incident may be material if the following criteria are met:

• It results in significant loss of data, or the availability or control of your IT systems;
• It affects a large number of customers; or
• It results in unauthorised access to, or malicious software present on, your information and communication systems.

The data also re-enforce the importance of maintaining vigilance against phishing attacks.  Of the reports relating to cyber-security incidents, Phishing attacks have been the primary root cause for all three years.

The charts below set out breakdowns of the number of cyber incidents reported to the FCA by sector and root cause.  The figures for 2020 have been extrapolated based on the data provided by the FCA from 1 January 2020 to 17 June 2020, and assume that the rate of reporting will stay constant for the remainder of the year.