According to an article by the BBC earlier this year, Cyber incident reports for the UK Finance sector spiked by 1000% in 2018. This data was based on a Freedom of Information (FOI) request to the Financial Standards Authority (FCA). The article stated that ‘consumer bank accounts accounted for nearly 60% of the reports submitted to the FCA last year’. A headline like this, raising fears of hackers stealing your life savings is certainly attention grabbing, and yes, cyber-crime is on the increase and we’ve written a blog on it, but on closer inspection of this report, cyber-attacks accounted for only 11% of the cyber incidents reported, so what were the other 89%? We thought this article begs a very good question; what is a cyber-incident? And when should you report it?
According to the National Cyber Security Centre (NCSC), A cyber incident is:
“a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”
Out of the 819 cyber-incidents reported to the FCA in 2018, 93 were confirmed as a type of cyber-attack such as DDoS, Malware or Ransomware of which the majority, not surprisingly, were phishing attacks. However, the most frequent incidents at 174 out of 819, were third-party failures.
I found this article dating back to April 2017 which refers specifically to the issue of UK firms not being prepared for third-party failures and at the same time having an over reliance on third parties. This figure seems to suggest that not a lot has improved here although in the 2 years since this article, I would say that businesses have been further pushed towards third party cloud services as that industry has grown, so the important take away here is that management of third-party suppliers is in need of improvement.
The second highest cause of cyber-incidents at 157 were issues with hardware and software, which cause service disruption. Again, reliance on third parties and third party products and services is an area of security risk to be managed.
When to report a cyber-incident
When to report a cyber incident and who to, varies depending on the consequences of the incident and the industry.
Operators of Essential Services (OES) fall under the Network and Information Systems (NIS) Regulations along with other services critical to the economy and wider society such as water, transport, energy, healthcare and Digital infrastructure. NIS regulations came into force in May 2018 just before GDPR, though with a lot less fanfare. We have a detailed blog about NIS Regulations here.
OES’ have breach reporting obligation under NIS. The banking sector falls within NIS and cyber incidents must be reported to the FCA, under NIS Regulations, when computer systems and the digital data stored and processed within them is compromised.
Under the EU’s General Data Protection Regulation, if a cyber incident results in “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”, the data controller must inform the ICO within 72 hours using the GDPR process, if there is deemed a risk to the rights and freedoms of individuals. If the risk is high, the breach must also be reported to the affected data subjects.
Non-compliance with GDPR can risk a fine up to £17 million or 4% of annual turnover whichever is greater but the costs to the organisation, separate to any fine levied, may be significant and include the cost of reputational damage and lost business. Non-compliance with the NIS Regulations risks a fine up to £17 also. The GDPR and NIS are separate laws so it possible that a single cyber-incident that infringes both sets of regulations could lead to double enforcement action from both the ICO and the relevant NIS competent authority.
The increased reporting of cyber-incidents in the finance sector over the last year is undoubtedly linked to the introduction of the GDPR and NIS regulations in May 2018. Uncertainty regarding what needs to be reported has led to a belt and braces approach by firms fearful of falling foul of the new laws.
We have experience advising organisations with GDPR and NIS compliance. If you would like to discuss your compliance obligations, please contact us.