Kroll, the world’s premier provider of services and digital products related to governance, risk and transparency, today reveals the number of data breaches reported to the FCA fell by 30% between 2019-2020.
This is a direct contradiction to Kroll’s own data which, looking at all industries, showed a 56% average rise in incidents over the same timeframe, with the financial services industry being slightly above that average.
Freedom of Information data obtained by Kroll from the FCA shows that the number of reportable cyber incidents where company or personal data was potentially compromised or breached dropped 30% to 76 in 2020, compared to 108 during the same time period in 2019 (Figure 1).
In reality, the number of data breaches is expected to be far higher, with Kroll’s proprietary data showing that during the same period the overall number of incidents impacting UK organisations rose 56%, leading to an increase in consumer notifications of more than 41% when compared to 2019.
This disparity between official FCA statistics and the reality of the current cyber threat landscape means the increase in the sophistication and volume of attacks is in danger of going unaddressed, and is likely to be linked with changes to data breach reporting as a result of GDPR.
GDPR requirements are broadly subjective, requiring a determination of an increased risk of harm without a firm definition of what harm is. In the early days following the introduction of GDPR and its adoption into national legislation, many companies suffering cyber incidents felt compelled to report out of an overabundance of caution. However, more recently, legal counsels are taking a more robust approach to notification to protect their clients from the reputational and financial damage that often follows.
Requirements for notifying data protection authorities, consumers and the FCA are each different and call for expert guidance. Therefore, when faced with a breach companies should consult the right experts qualified to make informed decisions.
Andrew Beckett, Managing Director and EMEA Leader, Cyber Risk, Kroll, comments:
“The regulator’s official figures don’t match up with what we’re seeing on the ground. The pandemic has undoubtedly created more opportunities for cyber criminals, so a supposed drop in attacks doesn’t ring true.”
“In an environment where threats are multiplying in number and developing in sophistication, it is imperative that companies develop and fine-tune their entire incident response approach. Legal counsel, digital forensics, notification provider and crisis communications vendors should be mapped out, agreements negotiated and the entire programme should be tested at least annually.”
“The complex regulatory environment and higher public awareness demands careful integration of these privacy and security controls, and with criminals extorting customers in a variety of non-technical ways (social media, spam calls, customer and media outreach, etc.), vigilance needs to be extended across the entire spectrum of digital channels.”
Keily Blair, Head of Orrick, Herrington & Sutcliffe’s UK Cyber, Privacy and Data Innovation team, noted that:
"Like Kroll, we have seen a material increase in the number and severity of cyber security incidents during 2020 and that trend is continuing into 2021. The difference between the FCA and Kroll's proprietary data reflects, among other things, the difference between cyber security incidents and reportable personal data breaches.
The GDPR is still a relatively new and complex piece of legislation and we certainly saw businesses being hyper-vigilant when it came to reporting to the ICO and the FCA in its initial stages of implementation. The drop in the FCA numbers likely reflects that organisations are becoming more adept at assessing whether an incident truly meets the necessary thresholds to trigger a report to the FCA.
As such there is no doubt that the FCA figures are the tip of the iceberg. The worry is that by seeing these figures, without the benefit of knowing what is happening below the surface, organisations may misinterpret the true nature and extent of the cyber security threat leading to complacency and greater risk. "