The number of cyber incidents at UK banks, asset managers, wholesale brokers and exchanges rose from 21 in 2019 to 55 in 2020, a 161.9% increase, according to the Financial Conduct Authority (FCA). The disclosure was made in response to a request under the Freedom of Information (FoI) Act.
Asset managers, wholesale brokers, platforms and exchanges reported 25% more operational incidents and 178% more cyber incidents to the FCA from 2019 to 2020. Banks’ cyber incident reports rose by 150%. This data represents a sub-sector of that found in the FCA’s 2019/20 annual report (page 35) which showed 824 operational and cyber incidents reported across the 60,000 firms it regulates. Those numbers were down slightly from 849 incidents reported in 2018/19 FCA financial year.
Yet another set of data from the FCA’s multi-firm review of technology change programmes at 23 firms showed more than 13,767 tech- change-related incidents in 2019, of which 14% had customer-facing impact.
Cyber incidents
UK banks, which the FCA categorised as firms within the retail banks and wholesale banks portfolios, reported 12 cyber incidents in 2019, and 30 cyber incidents in 2020, from those firms. That is a 150% year-on-year increase.
Previously undisclosed data shows a 178% year-on-year increase in cyber incidents between 2019 to 2020 at asset managers, wholesale brokers and exchanges. For 2019, the FCA data shows five cyber incidents at asset managers, two at wholesale brokers, two at exchanges and none at retail investment platforms — or a total of nine. For 2020, it shows 14 cyber incidents at asset managers, eight at wholesale brokers, three at exchanges and none at retail investment platforms — or a total of 25.
The FCA’s annual report data shows 139 cyber-related incidents across the 60,000 firms it regulates in 2018/19 and a slight decrease to 109 in 2019/20.
Operational incidents
Regulatory Intelligence asked the FCA for data on operational incidents reported by UK banks report in 2019 and 2020 year-to-date that were unrelated to retail or business banking accounts. Initially, the FCA said it did not hold all operational incident data in one place and it would cost too much to collate it.
“The FCA holds centralised records on material operational incidents reported to the FCA by individual firms. The FCA categorises financial services firms into sectors. The FCA also divides each sector into a series of portfolios, with each portfolio comprising firms with similar business model,” it said in follow-up correspondence.
The FCA maintains a continually updated record on operational incidents, yet it did not supply the requested data and did not give a new reason.
The FCA published operational and cyber incident data relating to business and consumer banking accounts on its website. The most recent (July 1, 2019-June 20, 2020) data broadly shows 171 operational and security incidents effecting personal current accounts across 30 banks operating in the UK. The most recent (July 1, 2019-June 20, 2020) business account data broadly shows 150 operational and security incidents across 20 banks operating in the UK.
This data lumps cyber and operational incidents together, however, and it is unclear where an incident may be double counted amongst banks in the same group or whether incidents impacted both business and personal account customers. 2018/19 data was unavailable for comparison.
The FCA did, however, supply a breakdown of operational incidents at asset managers, wholesale brokers, exchanges and platforms. This data is not publicly available. For 2019 it shows 23 operational incidents at asset managers, 12 at wholesale brokers, 20 at exchanges and four at platforms — or a total of 59. For 2020, it shows 21 operational incidents at asset managers, 19 at wholesale brokers, 25 at exchanges and nine at platforms — or a total of 74. That is a 25% year-on-year increase.
Multi-firm technology change review highlights more incidents
Last week the FCA published a multi-firm review which looked at how financial firms manage technology change, the impact of change failures and the practices used within the industry to help reduce the impact of incidents resulting from change management. It
identified four areas that could lead to increased operational disruption during the technology change process and its analysis showed even more operational disruption than the data it provided Regulatory Intelligence and that which is already publicly available.
“Our analysis showed that, in general, change was managed effectively by the industry with 1.6% of technology changes resulting in an incident. However, due to the volume of change implemented by sample firms, this resulted in significant disruption; amounting to over 13,767 incidents in 2019, of which 14% had customer-facing impact. Certain types of change, such as major changes, were more likely to result in incidents. We also identified significant variance in change success rates between firms, highlighting the need for robust controls and oversight,” the report said.
The sampled (23) firms deployed nearly 68,000 major changes over 2019, which resulted in 2,600 incidents. That is an average failure rate of 3.8%, compared to 1.6% from all change types. During 2019, firms deployed over 33,000 emergency changes into production, accounting for between 3-5% of total change volume. It found that, on average, 1.5% of emergency changes resulted in a new incident; a slightly lower proportion than other types of changes.
According to data taken from all incidents reported to the FCA by regulated entities in 2019, third-party incidents were one of the top root causes, accounting for 18% of all incidents.
Publisned by Thomson Reuters Accelus Regulatory Intelligence 10 February, 2021