Cybersecurity incidences surge in the UK financial services sector

London’s financial district. Image by Tim Sandle

The UK financial services sector saw a surge in cybersecurity incidents year-on-year, with the rate approximately doubling. This is based on data obtained from the UK Financial Conduct Authority (FCA).

The FCA regulates the activity of more than 50,000 UK financial services firms. If any of these businesses suffer a material cyber incident, they must notify the FCA immediately. The types of incidences reported include significant loss of data, or the availability or control of its IT system; where the incident has impacted a large number of people; or where the event results in unauthorized access to, or malicious software present on, its information and communication systems.

According to Dr. Suleyman Ozarslan, Co-Founder and VP of PicusLabs (who have assessed the FCA data), there is an interesting pattern with the data and from these certain trends of interest can be drawn: “The numbers for the first half of 2023 are also far higher than the second half of 2022 when cyber incident reports almost ground to a halt by the end of the year. It is interesting to see such consistently low numbers in December.”

When grouped by month, it becomes clear that FCA cyber incident reports tend to decline throughout the year, and some months are typically far busier for security teams than others. Since 2019, far more cyber incidents have been reported to the FCA in March than any other month – with an average of 12.8.

On this, Ozarslan adds: “A slight decline in cyber incident reports would reflect the fact that many people are away from the office, but there is such a sizable gap between December and January figures. We know that breaches happen all year round, so the numbers should fall off a cliff in this manner. I don’t know which is worse, if security teams don’t discover incidents in December, or if they choose not to report them until after the holidays.”

December is the quietest month for FCA cyber incidents reports by some distance (only 2.5 reports on average). The disparity between January and December incident numbers suggests that security teams may struggle to identify or report breaches during the holiday period – or choose to wait until it is over.

Ozarslan finds that for the relatively high number of incidents reported in March 2019, 2021, 2022 and 2023, there is an element of history repeating itself. In 2023, there was a noticeable increase in exploitable zero-day vulnerabilities in widely used software. Among the most critical were CVE-2023-23397 affecting Microsoft Office Outlook, and CVE-2023-24880 impacting Microsoft Windows. This may be a significant contributing factor to increased cyber incidents in 2023. This was also the case in March 2021 when the Hafnium hacking group was actively exploiting the highly-publicized Microsoft Exchange Server vulnerabilities. It remains the single biggest month for FCA cyber incident reports.

Ozarslan concludes with: “The bad news is that ransomware has always been a low-risk and high-reward business model for financially motivated cyber threat actors. These adversaries will always target financial institutions due to the value of their assets. They are also incredibly difficult to stop at scale. As governments clamp down on active ransomware groups, new ones will appear in their place. As security teams patch their systems and develop strategies for detecting and preventing existing ransomware strains, sophisticated new campaigns will emerge.”