Third parties contribute to 1000% increase in finance sector cyber-crimes

Cyber-attacks reported in the UK financial service sector went up 1,000 percent since 2017, with third-party failures involved in 21 percent of incidents.

The UK’s Financial Conduct Authority (FCA) has recorded 819 cyber-crime incidents in 2018, a ten-fold increase from 69 incidents in 2017, according to data obtained by accounting consultants RSM. 

Retail banks have topped in the incident list (486), followed by wholesale financial markets (115) and retail investments (53). Third-party failure has caused 21 percent of the incidents reported, hardware or software issues were behind 19 percent of cases.

In an email to SC Media UK, Peter Carlisle, sales VP at nCipher Security, attributed the rising numbers to mandatory reporting of any form of cyber-incident to the authorities. "While the stringent regulatory landscape means better reporting on data breaches and cyber-attacks, it has also led to greater awareness across the industry, encouraging firms to proactively spend on security measures such as encryption and hardware security modules (HSMs)," he told SC Media UK.

Connected devices being targeted by criminals have increased the number of incidents, said Chris Hodson, EMEA CISO at Tanium. "Financial services firms must have visibility over all their IT endpoints – laptops, servers, virtual machines, containers, or cloud infrastructure –  and maintain basic security hygiene practices, such as ensuring standard secure configurations on all devices, applying patches in a timely manner and improving the speed at which companies identify and respond to attacks," he told SC Media UK.

The focus should not be on the number of cyber-incidents in this report, but on the major cause of these incidents, said Ross Brewer, EMEA VP at LogRhythm. "Over a fifth of incidents are caused by a third party failure: a weakness in the supply chain." 

The complexities of running a multinational financial services firms have saddled these businesses with a broad and complex supply chain. "From third-party suppliers to white label clients, each connection with another business is a potential point of weakness, and it's something cyber-criminals are more than willing to exploit," Brewer told SC Media UK. 

The FCA, in its report ‘Cyber security - industry insights’ in March 2019, urged the companies to have a deep understanding of their supply chain. "Understand the connectivity between and dependency on partners. Adopting the view that you only need to be concerned with suppliers limits the ability to think wider about third party risk," the report said.

Data breaches at companies such as Best Buy, Sears, Kmart And Delta in 2018 were executed through vulnerabilities within a third-party chat app.

Digital transformation has turned banks and financial institutions practically into technology companies, said Chris Miller, UK & Ireland director at RSA Security. "Most money that circulates in the world now is electronic, not paper form. While this shift has created a number of efficiency and security gains, not to mention improvements in customer experience, it also creates new digital risks," he said. 

However, many organisations are still trying to deal with these risks using old methods, with risk and compliance teams sitting separately from IT and security teams, he noted. Management changes was listed as the cause of 18 percent of cyber-related incidents that happened in 2018.

"Our recent study found that over a quarter (28 percent) of UK CIOs and CISOs said that departments and business leaders work in silos, leaving them with a lack of visibility and control over IT operations," said Tanium’s Hodson. "This has directly affected the business, with the majority (83 percent) having found out that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed as a result."

Paul Hampton, senior product manager at Thales added: "On the positive side regulation like GDPR is seemingly making firms in the industry be more transparent and ultimately take responsibility in their approach to cyber-security. Without a need to be completely transparent, financial services organisations could previously rest on their long-held reputation of keeping customers safe and secure, but now we’re going seeing if the reputation is up to the test of public scrutiny."

Most incidents happen because someone makes a mistake, not because someone is mounting a targeted cyber-attack, pointed out Anna Russell, VP at comforte AG. "More than 40 percent of the incidents are caused by factors that are outside the control of the impacted organisation. Based on these numbers, it is obvious that organisations need to implement new ways to protect their data as traditional perimeter defence is not sufficient anymore," she told SC Media UK. 

However, boosting the defence budget is no guarantee for a reduction in cyber-crime in the sector, according a to a report on cyber-crime by sector body UK Finance. "It isn’t simply a question of spending more money on more robust security systems: banks alone spent £281 billion on IT in 2016, and financial services firms already spend three times the amount that non-financial organisations do on cyber- security," said the report titled ‘Staying ahead of cyber crime’.

"With the number of attempted cyber-attacks only set to increase as attackers become more and more sophisticated, company-wide visibility and control of digital assets is the only way to truly stop cyber-attackers firmly in their tracks and ensure resilience against business disruption across financial services firms," said Hodson.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews