Data Breach Disclosures by UK Banks Jump 480% in 2018, Financial Regulator Says

In 2018, companies struggled to mitigate large-scale attacks and data breaches, but apparently too little action has been taken to improve defenses in 2019. Businesses are trying to be proactive. They have increased cybersecurity budgets and invested in resources, including in qualified IT staff. So why are they, financial services specifically, still falling for social engineering scams and malware attacks? What hampers efforts to safeguard their networks?

According to UK’s Financial Conduct Authority (FCA), 480 percent more data breaches were reported in 2018 than in 2017. Investment and retail banks were hit hardest, with 34 and 25 reported breaches. However, attacks against retail banks jumped 2,400 percent. The FCA believes the numbers are strongly connected to GDPR compliance. Since May 2018, companies are more transparent with breach reporting to avoid hefty fines while, pre-GDPR, many security incidents were not reported due to weaker regulation.

Fraud, the loss or theft of confidential, top secret documents as well as customer loss and reputation damage are among the growing pains organizations struggle to tackle. Cybercriminals actively seek to steal troves of data that they can sell on the black market.

Cybercrime is not restricted to legal borders, and hackers are definitely not always domestic, leading enforcement agencies to work together on market regulation at international level. Banks, for example, not only have to comply not only with GDPR but also inform their clients about each security breach they dealt with, as per rules laid out in the Second Payment Services Directive (PSD2). By September, all financial companies will have to comply with the directive, which imposes strict regulations, such as mandatory two-factor authentication, to protect financial data and online payments, and prevent online fraud.

As was the case with GDPR in 2018, financial institutions, especially banks, will have to be prepared for PSD2’s tough guidelines by September. This is a difficult transition period for banks as they make their shift to become digitally reliable.

The increase in attacks against financial organizations forces companies to heavily invest in cyber resilience and multi-layer security, because basic protection used so far has proven below industry standards. Businesses have to place critical assets first and ensure their protection through multiple lines of defense to fend off new malware variants that will keep emerging. It is vital for critical sectors to prioritize the reevaluation of network architecture and firmware to reduce vulnerabilities.