Data Breaches Reporting to FCA Drops by 30% as Cyberattack Incidents Rise by 65% in the UK
Between 2019 and 2020 the Number of Data Breach Incidents Reported to the FCA Has Dropped by 30%.
According to an FCA Analysis incidents such as data breaches have dropped by 30% between 2019 and 2020. On the other hand, Kroll data shows a 56% increase in Cyber-attack incidents for the same period of time.
The world’s premier provider of services and digital products related to governance, London-based Kroll, revealed last week the number of data breaches reported to FCA in the pre-pandemic timeframe.
Between 2019 and 2020 the number of data breach incidents reported to the FCA has dropped by 30%, the report reveals.
This represents a significant discrepancy to Kroll’s own data which shows actual cyber incidents increase by 56% for the same period. Also, Kroll’s data shows that the fintech industry was more prone to be a target of such cyber-attack attempts.
FCA is freely providing Freedom of Information data and, such data analyzed by Kroll indicates that the number of reportable cyber incidents where a company or personal data was potentially compromised or breached, dropped 30% to 76 incidents in 2020. In the same period in 2019, 108 incidents were reported.
Under given circumstances, this might as well be a situation where this might have more to do to the incidents themselves growing in complexity and/or sophistication and not qualifying for reporting under current cyber-attack definitions, rather than them decreasing in numbers.
Moreover, the fact that reporting of the number of attacks are decreasing, being in danger of going unaddressed, is likely to be linked with changes in data breach reporting as a result of GDPR.
GDPR requirements are broadly subjective, requiring a determination of an increased risk of harm without a firm definition of what harm is. In the early days following the introduction of GDPR and its adoption into national legislation, many companies suffering cyber incidents felt compelled to report out of an overabundance of caution. However, more recently, legal counsels are taking a more robust approach to a notification to protect their clients from the reputational and financial damage that often follows.
There is often the case where expert guidance is lacking in companies and this, in conjunction with the requirements for notifying data protection authorities, consumers, and the FCA being each different, can often lead to some degree of confusion within companies. That is why, when suspecting a breach companies should consult the right experts qualified to make informed decisions.
In an environment where threats are multiplying in number and developing in sophistication, it is imperative that companies develop and fine-tune their entire incident response approach.
The complex regulatory environment and higher public awareness demand careful integration of these privacy and security controls, and with criminals extorting customers in a variety of non-technical ways (social media, spam calls, customer and media outreach, etc.), vigilance needs to be extended across the entire spectrum of digital channels.
GDPR is still a relatively new and complex piece of legislation across the EU, therefore many big companies are still having issues with it, so one can only imagine that GDPR is more complex to understand and abide by in smaller companies that lack specialized help in this regard.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The significant drop in FCA reported incidents may reflect that organizations are becoming more adept at assessing whether an incident truly meets the necessary thresholds to trigger a report to the FCA.
As such, there is no doubt that the FCA figures are the tip of the iceberg. The worry is that by seeing these figures, without the benefit of knowing what is happening below the surface, organizations may misinterpret the true nature and extent of the cybersecurity threat leading to complacency and greater risk.