With many businesses adopting a hybrid working model for their employees, financial institutions may continue to be vulnerable to the threat of attacks from cyber criminals seeking to take advantage of the online nature of our lives. As the duration of the Russia/Ukraine conflict increases, it remains to be seen whether more cyberattacks are on the horizon.
The latest data breach statistics published by the Information Commissioner’s Office (ICO) for the third quarter of 2021/20221, confirmed that the reported number of data security incidents was 1852. Whilst this number is less than the preceding quarter (previously 2593), it remains to be seen what the position will be at the end of the next quarter should there be an increase in cyber activity in relation to the Russian/Ukraine conflict.
The ICO categorises the data breaches into ‘non cyber security incidents’ and ‘cyber security incidents’:
Non-cyber security incidents equated to around 70% of the total breaches reported during the third quarter of the 2021/2022 financial year. Breaches of this nature occur as a result of human error often due to individuals working under extreme pressure or tight timescales and a poor attention to detail.
Non-cyber security incidents equated to around 70%
The table below sets out the data showing the top two most common causes of non cyber security breaches reported for the financial sector to the ICO for Q2 and Q3 of 2021/2022:
| Q2: 1 July 2021 to 30 September 2021 | Q3: 1 October 2021 to 31 December 2021 | |
|---|---|---|
| Data emailed to incorrect recipient | 33 out of 259 | 42 out of 185 |
| Data posted/faxed to incorrect recipient | 23 out of 259 | 23 out of 185 |
Cyber security incidents reported to the ICO4 equated to 29% of the total breaches reported by the financial sector to the ICO, with ransomware attacks (35%) being the most common cause closely followed by phishing attacks (33%).
Cyber security incidents reported to the ICO4 equated to 29%
The table below sets out the data showing the top two most common causes of cyber security breaches during Q3 of 2021/2022 compared to Q2:
| Q2: 1 July 2021 to 30 September 2021 | Q3: 1 October 2021 to 31 December 2021 | |
|---|---|---|
| Ransomware attacks | 57 out of 259 | 19 out of 185 |
| Phishing attacks | 41 out of 259 | 18 out of 185 |
Cybercrime continues to be a priority risk on the Financial Conduct Authority’s agenda. The National Cyber Security Centre (NCSC) published its annual review on 17 November 20215 which identified ransomware as the most significant cyber threat facing all businesses in the UK, not just financial institutions. The report identified that during the first four months of 2021 the NCSC handled the same amount of ransomware incidents for the whole of 2020 and was “three times greater than in 2019”.
The report identified that during the first four months of 2021 the NCSC handled the same amount of ransomware incidents for the whole of 2020 and was three times greater than in 2019.
Guidance from the NCSC and law enforcement agencies is that they do not “encourage, endorse, nor condone the payment of ransom demands”6. There is no guarantee your data will be accessible should you meet the ransom demand. Furthermore, this may increase the risk of being targeted again in the future as criminal groups will know that you are willing to pay the ransom.
The fallout from a ransomware attack can be costly, both financially and reputationally. Reimbursement under an insurance policy for a ransomware attack also has its challenges due to (i) legal and regulatory restrictions – insurers are not legally permitted to pay a ransom which could be used to fund terrorism or financial crime; and (ii) which policy provides appropriate coverage. Historically, Crime policies offered extortion coverage for financial institutions in connection with more physical threats on individuals or property (see our previous article here). However, coverage evolved over the last few years and began to include more cyber-related threats. With both Crime and Cyber policies offering the same or similar coverage, this has brought about disputes between insurers as to which policy responds to a ransomware attack.
Cyber security risk should form part of a financial institution’s operational resilience strategy which will help identify, understand and manage any cyber related vulnerabilities. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident. As cyber and crime insurance markets continue to be a challenging space, some insurers are insisting businesses meet a specific cyber security criteria to be eligible to purchase cyber insurance. Furthermore, some insurers are insisting upon ransomware coverage being removed from Crime policies with the focus on Cyber policies to be used to protect financial institutions against a ransomware incident. Talk to WTW or our CyberCrime Task Force about how we can assist you in tailoring your cyber risk management solution and coverage to suit your risk profile and business needs.
1 Covering period 1 October 2021 to 31 December 2021.
2 Information Commissioner’s Office (n.d). Data security incident trends. What action we’ve taken in Q2 2021/22 and what you can do to stay secure. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/
3 Information Commissioner’s Office (n.d). Previous reports. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/
4 Covering period 1 October 2021 to 31 December 2021.
5 https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021
6 National Cyber Security Centre. (September, 9, 2021). Mitigating malware and ransomware attacks. How to defend organisations against malware or ransomware attacks. Retrieved from: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
