Skip to main content
Article | FI Observer

Managing cyber security threats for financial institutions

Financial, Executive and Professional Risks (FINEX)

By Hollie Mortlock and Lara McGurk | May 4, 2022

With digitised ways of working set to continue for 2022, how can financial institutions best manage their cyber security threats?

With many businesses adopting a hybrid working model for their employees, financial institutions may continue to be vulnerable to the threat of attacks from cyber criminals seeking to take advantage of the online nature of our lives. As the duration of the Russia/Ukraine conflict increases, it remains to be seen whether more cyberattacks are on the horizon.

Data Security Incidents – Financial sector

The latest data breach statistics published by the Information Commissioner’s Office (ICO) for the third quarter of 2021/20221, confirmed that the reported number of data security incidents was 1852. Whilst this number is less than the preceding quarter (previously 2593), it remains to be seen what the position will be at the end of the next quarter should there be an increase in cyber activity in relation to the Russian/Ukraine conflict.

The ICO categorises the data breaches into ‘non cyber security incidents’ and ‘cyber security incidents’:

  • Non cyber security incidents: occur as a result of human error and includes data being emailed, posted or faxed to the wrong recipient, failure to redact and the loss or theft of paperwork or data left in an insecure location.
  • Cyber security incidents: which occur as a result of a cyberattack and include ransomware, phishing, malware attacks and unauthorised access.

Most common non cyber security incidents reported – Financial sector

Non-cyber security incidents equated to around 70% of the total breaches reported during the third quarter of the 2021/2022 financial year. Breaches of this nature occur as a result of human error often due to individuals working under extreme pressure or tight timescales and a poor attention to detail.

Non-cyber security incidents equated to around 70%

The table below sets out the data showing the top two most common causes of non cyber security breaches reported for the financial sector to the ICO for Q2 and Q3 of 2021/2022:

Comparison of non cyber security breaches for the financial sector

Data showing the top two most common causes of non cyber security breaches for date ranges in Q2 and Q3 2021.
Q2: 1 July 2021 to 30 September 2021 Q3: 1 October 2021 to 31 December 2021
Data emailed to incorrect recipient 33 out of 259 42 out of 185
Data posted/faxed to incorrect recipient 23 out of 259 23 out of 185

Most common cyber security incidents reported – Financial sector

Cyber security incidents reported to the ICO4 equated to 29% of the total breaches reported by the financial sector to the ICO, with ransomware attacks (35%) being the most common cause closely followed by phishing attacks (33%).

Cyber security incidents reported to the ICO4 equated to 29%

The table below sets out the data showing the top two most common causes of cyber security breaches during Q3 of 2021/2022 compared to Q2:

Comparison of cyber security breaches

Data showing the top two most common causes of cyber security breaches in date ranges during Q2 and Q3.
Q2: 1 July 2021 to 30 September 2021 Q3: 1 October 2021 to 31 December 2021
Ransomware attacks 57 out of 259 19 out of 185
Phishing attacks 41 out of 259 18 out of 185

Cybercrime continues to be a priority risk on the Financial Conduct Authority’s agenda. The National Cyber Security Centre (NCSC) published its annual review on 17 November 20215 which identified ransomware as the most significant cyber threat facing all businesses in the UK, not just financial institutions. The report identified that during the first four months of 2021 the NCSC handled the same amount of ransomware incidents for the whole of 2020 and was “three times greater than in 2019”.

The report identified that during the first four months of 2021 the NCSC handled the same amount of ransomware incidents for the whole of 2020 and was three times greater than in 2019.

Ransomware attacks

Guidance from the NCSC and law enforcement agencies is that they do not “encourage, endorse, nor condone the payment of ransom demands”6. There is no guarantee your data will be accessible should you meet the ransom demand. Furthermore, this may increase the risk of being targeted again in the future as criminal groups will know that you are willing to pay the ransom.

Insurance implications

The fallout from a ransomware attack can be costly, both financially and reputationally. Reimbursement under an insurance policy for a ransomware attack also has its challenges due to (i) legal and regulatory restrictions – insurers are not legally permitted to pay a ransom which could be used to fund terrorism or financial crime; and (ii) which policy provides appropriate coverage. Historically, Crime policies offered extortion coverage for financial institutions in connection with more physical threats on individuals or property (see our previous article here). However, coverage evolved over the last few years and began to include more cyber-related threats. With both Crime and Cyber policies offering the same or similar coverage, this has brought about disputes between insurers as to which policy responds to a ransomware attack.

Conclusion

Cyber security risk should form part of a financial institution’s operational resilience strategy which will help identify, understand and manage any cyber related vulnerabilities. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident. As cyber and crime insurance markets continue to be a challenging space, some insurers are insisting businesses meet a specific cyber security criteria to be eligible to purchase cyber insurance. Furthermore, some insurers are insisting upon ransomware coverage being removed from Crime policies with the focus on Cyber policies to be used to protect financial institutions against a ransomware incident. Talk to WTW or our CyberCrime Task Force about how we can assist you in tailoring your cyber risk management solution and coverage to suit your risk profile and business needs.

Footnotes

1 Covering period 1 October 2021 to 31 December 2021.

2 Information Commissioner’s Office (n.d). Data security incident trends. What action we’ve taken in Q2 2021/22 and what you can do to stay secure. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/

3 Information Commissioner’s Office (n.d). Previous reports. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/

4 Covering period 1 October 2021 to 31 December 2021.

5 https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021

6 National Cyber Security Centre. (September, 9, 2021). Mitigating malware and ransomware attacks. How to defend organisations against malware or ransomware attacks. Retrieved from: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

Authors

Claims Advocate, Financial Institutions

Graduate Analyst - TPL & Claims Advocacy, Global FINEX Financial Institutions

Contacts

GB Head of FINEX Financial Institutions

Susan Finbow
Global Head of FINEX Financial Institutions

Related Capabilities

Contact Us