UK banks weathered the storm of cyber threats in 2024 – here’s why
Large, regulated financial institutions have seen a major drop in the number of cyber attacks over the last year, following moves by the Financial Conduct Authority (FCA) to tighten regulations around operational resilience.
According to data obtained by Hack The Box via Freedom of Information (FOI) requests, the FCA received 101 incident notifications from regulated firms between January 1 and October 21 this year – marking a 53% decrease compared to the year prior.
Notably, given the surge in supply chain attacks in recent years, incidents related to a cyber attack against third-party providers dropped by more than a third, while data breaches tied to cyber incidents fell by 29%.
Haris Pylarinos, CEO and founder at Hack The Box, said the downtrend in reported attacks is a “welcome development”, especially given the increasingly perilous threat landscape faced by financial institutions globally.
“There has been a conscious effort to factor preparedness and response into new FCA regulation, and on the surface, it appears that these efforts have, at least partially, helped,” he said.
The drop in the number of attacks follows ongoing efforts by the FCA to tighten up the regulations covering operational resilience, with the aim of securing financial firms’ critical data.
Regulated firms are currently required to set impact tolerances, ramp up testing to identify vulnerabilities, conduct crisis simulation exercises, and develop robust internal and external communication plans.
But these rules are now being extended, with organizations required to make further financial investments to maintain compliance by the end of March next year.
“Preparedness and consistency in response is critical to maintain business operations. This requires firms to empower CISOs and security executives to take control of an incident,” said Pylarinos.
“If security leaders maintain the trust of the board to respond according to regulations and have clear directions in place for how employees should respond, significant business disruptions could be avoided. To achieve this, investment is needed in cybersecurity upskilling, but also in table-top exercises that provide realistic, scenario-based crisis preparation.”
The new requirements stem from concerns that the financial sector has become increasingly dependent on critical third parties, leading the government to give the FCA, the Bank of England, and the Prudential Regulation Authority more powers last year.
Third-party vendor reliance was a key issue highlighted in a study from the International Monetary Fund (IMF) earlier this year, which warned that cyber criminals are increasingly targeting vendors as a means to create downstream havoc.
While external providers can “improve operational resilience”, attacks on these organizations can expose the financial industry to “systemwide shocks”, the study warned.
“The finance industry has long been on the front line of cyber threats, a reality heightened by today’s geopolitical tensions,” commented Lucas Kello, associate professor of international relations at the University of Oxford.
“Nation-state actors and other adversaries post a constant – and constantly evolving – risk to financial firms. Combining advanced security tools with robust preparedness and incident response strategies is essential to limiting the damage of successful attacks.”
However, Kello warned that financial firms shouldn’t rest on their laurels.
The costs associated with cyber attacks on financial institutions have increased markedly in recent years, highlighting the need for continued vigilance.
IMF research found cyber attacks on financial firms now account for nearly one-fifth of the world’s total financial losses, with banks the most exposed.
Furthermore, over the last 20 years, financial institutions have lost a total of $12 billion to cyber attacks, with $2.5 billion lost between 2020 and 2024 alone.
Source link
