Finance brands under siege as hackers ramp up attacks

UK financial services brands are under constant threat of cyber attacks, with a three-fold increase in online data breaches being reported to the Information Commissioner’s Office while half of all firms have suffered a data breach through their content management system.

That is the stark conclusion of two separate reports, which paint a grim picture of an industry under constant threat of exposing highly sensitive personal information.

Figures obtained in a Freedom of Information Act disclosure from the ICO reveal that nearly a thousand cyber security breaches affecting personal data have been reported in the past two years. Some 731 breaches were reported between June 2022 and June 2023 – a significant increase from the 261 cases reported between June 2021 and June 2022. However, the ICO is yet to fine any financial services company under either GDPR and UK GDPR.

The legislation forces any company which has suffered a “personal data breach” to report it to the ICO within 72 hours, unless it is “unlikely to result in a risk to the rights and freedoms” of individuals affected.

If an ICO investigation finds that the breach was as a result of a failure to have appropriate security measures in place, the company involved could face a range of sanctions, ranging from informal advice, to a fine of up to £17.5m or 4% of global annual turnover, whichever is higher.

In reality, however, only a tiny fraction of breaches end up with a fine. The biggest ever punishment issued by the UK regulator remains the 2020 £20m penalty for British Airways. Even then, this was a substantial reduction from the original £183m fine proposed in the ICO’s notice of intent published over a year earlier.

However, the significant increase in incidents reported to the ICO from finance firms indicates the current risks to companies, and, more importantly, their customers, from malicious cyber attacks, but also highlights that many businesses may have inadequate security measures in place.

Mishcon de Reya senior data protection specialist Jon Baines commented: “The ICO hasn’t speculated on why there has been such a big increase in reports. It could be that cyber criminals are targeting the financial services sector even more intensely than previously. Personal data breaches of any kind, but particularly cyber incidents, put customers of companies in the sector at potential risk of fraud and identity theft.

“Although the ICO has not tended to issue fines for failings in this area, the increase in reported incidents could – and possibly should – lead to a review of that approach. In any case, fines remain a risk for the most serious of incidents, as does the possibility of legal claims from customers. And just as important for financial services companies is the reputational harm that can result.

“Businesses in the sector should regularly review their security arrangements to be sure they are up to scratch. But they also need to be aware that not every incident has to be reported to the ICO – a malicious attack that does not result in a risk to customers is unlikely to need reporting. It is important to do a proper – and prompt – risk assessment of any security incident, and where necessary, take appropriate professional and legal advice.”

Meanwhile, a separate report from Forrit reveals that half of organisations in the UK financial services industry have suffered a data breach through their content management system in the past three years.

The study, The Content Management System Market in 2023: What Marketers in Financial Services Really Think, explores the issues identified by marketers around using a CMS and offers tips to overcome these challenges – with security, ease of use, regulatory compliance, and staying in-line with brand guidelines all appearing at the top of the list.

The report also notes that using more than one CMS – as 88% of the organisations surveyed do – could result in an increased security risk.

The study also found that the banking and wealth management sectors were more likely to have suffered a data breach through their CMS.

In addition, three-quarters (75%) of marketers do not consistently use templates, which makes it more difficult to maintain compliance and brand consistency and slows time to market and over a quarter (27%) of marketers do not localise content for different countries, which could cause compliance issues.

Forrit chief executive Peter Proud said: “Given the highly sensitive nature of information and extensive regulatory requirements in the financial services sector, we know security and compliance are paramount.

“Nearly all the issues senior marketers identified in our research could be mitigated by using a single CMS platform, regardless of the organisation’s size.

“A single platform which is secure, flexible, easy to use, and scalable is the simplest way to overcome all the pitfalls marketers identified. It’s more secure and can develop alongside your organisation as it grows.”