The retail banking sector suffered the highest number of reported attacks over 2017 with 17 different incidents, which was followed closely by retail lenders and investment management firms with each reporting 16 attacks, according to the Financial Conduct Authority (FCA).
The statistics were revealed in a freedom of information (FoI) response to consulting firm RSM.
In addition to the quadrupling of data hacks, the stats also showed that cases of malware infection which led to financial loss jumped from just one in 2016 to four last year.
Steve Snaith, technology risk assurance partner at RSM, said: “We have previously raised concerns that there is likely to be significant under-reporting of cyber attacks by regulated financial services firms. Nevertheless, these new numbers do reveal some important trends.”
Cyber incidents reported to the FCA during 2015, 2016, and 2017 by regulated firms.
| Type of attack | 2015 | 2016 | 2017 |
| Denial of Service | 20 | 18 | 16 |
| Hacking – Loss of Data | 0 | 4 | 17 |
| Ransomware | 0 | 4 | 8 |
| Cyber | 0 | 0 | 10 |
| Hacking – Service Disruption | 2 | 3 | 4 |
| Phishing/ Smishing / Vishing | 0 | 1 | 5 |
| MalWare – Financial Loss | 1 | 1 | 4 |
| Unathorised access – CMA | 0 | 2 | 1 |
| Phishing/ Smishing | 0 | 3 | 0 |
| Third Party Failure | 0 | 1 | 1 |
| Data Leakage | 0 | 0 | 2 |
| Social Engineering – Financial Loss | 1 | 0 | 1 |
| Fraud | 0 | 1 | 0 |
| Grand Total | 24 | 38 | 69 |
| Sector | 2015 | 2016 | 2017 |
| Retail banking and payments | 9 | 23 | 17 |
| Retail lending | 1 | 2 | 16 |
| General insurance and protection | 1 | 1 | 11 |
| Pensions and retirement income | 2 | 1 | 2 |
| Retail investments | 0 | 1 | 1 |
| Investment management | 4 | 3 | 16 |
| Wholesale financial markets | 7 | 7 | 6 |
Source: FCA (Note: the FCA logs attack campaigns which may involve a series of incidents attributable to the same actor with the same motivation as a single incident.)
Snaith continued: “The jump in incidents of data loss resulting from hacking attacks should be particularly concerning to the financial services sector, given we are just months away from the new GDPR regime coming into force.
“GDPR should be one of the most pressing issues for the sector and regulated companies should heed the FCA’s recent warning that firms must improve their cyber resilience.
“Cyber-attacks are becoming increasingly sophisticated and are constantly evolving and adapting. One of the biggest challenges is trying to ensure that defensive controls keep up,” he added.
