Head of Data Breach, Kingsley Hayes, explores the impact of cybercrime in the finance sector, in Finance Digest.
Kingsley’s article was published in Finance Digest, 27 October 2021, and can be found here.
There is no getting away from the fact that cybercriminals have their eyes firmly on businesses operating in the finance sector.
A highly lucrative target for hackers, official reports and records repeatedly echo the importance of data protection in the industry.
Damning data breach figures a clear warning
The threat of cybercrime for financial services organisations, and their customers, is real. Global and domestic statistics reveal serious cracks in the robustness of cybersecurity in the sector with hackers generously rewarded for their efforts.
UK cyber incidents paint a bleak picture
According to data from Statistica, financial services are at most risk of phishing attacks (24.5%).
In the past 12 months, up to the end of September, 14% of all cyber incidents reported to the Information Commissioner’s Office (ICO) came from the finance, insurance and credit sector.
- Phishing and ransomware have proved the biggest threats to cybersecurity
- More than two fifths (41%) of cyber related incidents in the industry during this period was a result of phishing
- Ransomware attacks accounted for 28% of all cyber incidents in the past year for businesses in the finance sector
- The last quarter showed a sharp rise in ransomware attacks with the highest number recorded over the past year – 57 incidents compared to just eight in the previous quarter
Global ransomware incidents a costly risk
The State of Ransomware in Financial Services report 2021 published by Sophos found that 51% of organisations stated that cybercriminals had succeeded in encrypting their data.
- A quarter of the businesses affected had paid the ransom demanded in return for their stolen data
- One third of breached data remained inaccessible despite cybercriminals pocketing the hefty rewards
- More than a third (34%) of financial services organisations had been victim to a ransomware attack in the past year according to its findings
- The average cost of rectifying a ransomware attack was $2.10 million
Brand trust following a data breach
Business and personal customers alike place their trust in the financial sector to maintain the highest level of data protection to minimise the known risks posed by cybercriminals.
When a cyber incident occurs exposing confidential, and highly valuable data, years of trust building is lost in an instant.
Damage limitation efforts cannot mitigate the full risks once private data has been obtained fraudulently.
What happens after a data breach as a result of hacking?
Cybercriminals are alert to the full financial benefits following a successful hack – and will exploit all opportunities available to them, including selling stolen data to third parties and money laundering making retrieving the full losses challenging at best.
An increasing dependence on technology means that cybercriminals can target businesses from anywhere in the world.
Taking proactive preventative measures requires adequate levels of investment – including prioritising cybersecurity as a business essential.
The cost to businesses following cybercrime includes lost time, reputational damage, loss of customers and the extensive costs of rectifying the issue – with no guarantee of mitigating the full associated risks after the event.
Limitless damage unrecognised
When large volumes of sensitive information are accessed by criminals, the full impact may not be realised in some instances, for several years after a hack.
The historic behaviour of cybercriminals indicates that stolen confidential details can be used in batches over time which could mean weeks, months, or even many years after a date breach has been discovered.
This means that affected individuals can suffer the wide-reaching consequences long after a business has considered the matter dealt with.
The human cost of data protection violations
Private information, including names, dates of birth, account numbers and national insurance details, can and will be used for fraudulent activity when placed in the wrong hands.
Identity theft leading to substantial financial losses and damage to credit ratings have a ripple effect impacting every aspect of an individual’s life.
The financial implications are just one aspect of the significant harm caused when organisations fail in their data protection obligations.
The psychological impact on victims following a data breach within the financial sector is immeasurable and is often underestimated.
Living with the fear of not knowing if, and when, an individual’s personal details will be used fraudulently – and what this will mean for short and long term financial security – can lead to anxiety and depression.
The result for some may mean being unable to continue in their employment, losing their homes and damaging relationships.
Being held to account
The cost to businesses who fail to implement an appropriate level of cybersecurity goes beyond the cost of recovering the stolen data, rebuilding trust in their brand and investing in the measures that should have been in place before a data security incident.
Victims of data breaches are entitled to compensation which is calculated based on their actual, and potential, financial losses and psychological injury.
Organisations can also face hefty penalties for failing to comply with data protection laws.
Data protection in the post pandemic era
The pandemic has delivered an ideal environment for cybercriminals to excel in their endeavours:
- Sudden, unexpected, and heavy reliance on technology
- Unplanned working from home for entire workforces
- Lack of adequate staff training before, and / or during the crisis
- Inadequate investment in cybersecurity before and / or during the pandemic
- Lack of security controls within home working environments
- Increased risk of mistakes as a result of the above, and the chaos and uncertainty as a result of the health crisis
Organisations are now faced with the challenges of considering hybrid working and the potential cybersecurity risks arising from this.
New FCA guidance
The Financial Conduct Authority (FCA) issued new guidance in October for the financial sector to help ensure a secure transition to hybrid working.
The guidance includes regulatory requirements, data compliance and accountability. Businesses in the financial sector will have to prove that remote working and the lack of centralised services will not lead to an increased risk of financial crime.
The industry will have to demonstrate it has appropriate governance in place and that policies and procedures can be successfully cascaded to reduce the risks of financial crime.
Cybersecurity future forecast
Only time will tell whether the financial sector can not only swiftly adapt to a changing work environment, but also anticipate the imminent, and inevitable risk of a cyber-attack.
The only certainty is that a cybersecurity incident can only be prevented within organisations that prioritise data protection and invest in robust, and comprehensive measures throughout their business and including their supply chain.