Reported attacks on
financial institutions in Britain have risen from just 5 in 2014 to 75
so far this year, data from Britain's Financial Conduct Authority (FCA)
However, bankers and experts in cyber-security say many
more attacks are taking place. In fact, banks are under almost constant
attack, Shlomo Touboul, Chief Executive of Israeli-based cyber security
firm Illusive Networks said.
Touboul cites the example of one
large global financial institution he works with which experiences more
than two billion such "events" a month, ranging from an employee
receiving a malicious email to user or system-generated alerts of
attacks or glitches.
Machine defenses filter those down to 200,000, before a human team cuts that to 200 "real" events a month, he added.
are not obliged to reveal every such instance as cyber attacks fall
under the FCA's provision for companies to report any event that could
have a material impact, unlike in the U.S. where forced disclosure makes
reporting more consistent.
"There is a gray area...Banks are in
general fulfilling their legal obligations but there is also a moral
requirement to warn customers of potential losses and to share
information with the industry,” Ryan Rubin, UK Managing Director,
Security & Privacy at consultant Protiviti, said.
are not alone in their reluctance to disclose every cyber attack. Of
the five million fraud and 2.5 million cyber-related crimes occurring
annually in the UK, only 250,000 are being reported, government data
But while saving them from bad publicity or worried
customers, failure to report more serious incidents, even when they are
unsuccessful, deprives regulators of information that could help prevent
further attacks, the sources said.
A report published in May by
Marsh and industry lobby group TheCityUK concluded that Britain’s
financial sector should create a cyber forum comprising bank board
members and risk officers to promote better information sharing.
experts said that while reporting all low level attacks such as email
"phishing" attempts would overload authorities with unnecessary
information, some banks are not sharing data on more harmful intrusions
because of concerns about regulatory action or damage to their brand.
most serious recent known attack was on the global SWIFT messaging
network in February, but staff from five firms that provide cyber
security products and advice to banks in Britain told Reuters they have
seen first-hand examples of banks choosing not to report breaches,
despite the FCA making public pleas for them to do so, the most recent
"When I moved from law enforcement to banking and
saw what banks knew, the amount of information at their disposal, I
thought 'wow', I never had that before," Troels Oerting, Group Chief
Information Security Officer at Barclays (LON:BARC) and former head of Europol's Cyber Crime Unit, said.
who joined Barclays in February last year, said since then banks'
sharing of information with authorities has improved dramatically and
Barclays shares all its relevant information on attacks with regulators.
from five firms that provide cyber security products and advice to
banks in Britain told Reuters they have seen first-hand examples of
banks choosing not to report breaches.
"Banks are dramatically
under-reporting attacks, they do what's legally required but out of
embarrassment or fear of punishment they aren't giving the whole
picture," one of the sources, who declined to be named because he did
not want to be identified criticizing his firm's customers, said.
Apart from Barclays, the other major British banks all declined to comment on their disclosures.
The Bank of England declined to comment and the FCA did not respond to requests for comment.
Companies that use external security systems also do not always inform them of attacks, the sources said.
customers sometimes detect attacks but don't tell us," Touboul, whose
firm helps protect banks' SWIFT payment networks by luring attackers to
decoy systems, said.
Hackers used the bank messaging system that
helps transmit billions of dollars around the world every day to steal
$81 million in one of the largest reported cyber-heists.
attacks, in which organized criminals penetrate bank systems and then
lurk for months to identify and profile key executives and accounts, are
becoming more common, David Ferbrache, technical director Cybersecurity
at KPMG and former head of cyber and space at the UK Ministry of
"The lesson of the SWIFT attack is that the
global banking system is heavily interconnected and dependent on the
trust and security of component members, so more diligence in controls
and more information sharing is vital," Ferbrache said.
banks are spending enormous amounts of money, $400-500 million a year,
but there are still vulnerabilities in their supply chains and in
executives' home networks, and organized crime groups are shifting their
focus accordingly," Yuri Frayman, CEO of Los Angeles-based cyber
security provider Zenedge, said.
increasingly sensitive to the brand damage caused by IT failings,
perceiving customers to care just as deeply about security and stable
service as loan or deposit rates.
Former RBS (LON:RBS)
Chief Executive Stephen Hester waived his bonus in 2012 over a failed
software update which caused chaos for thousands of bank customers.
HSBC issued multiple apologies to customers after its UK personal
banking websites were shuttered by a distributed denial of service
(DDoS) attack, following earlier unrelated IT glitches.
don't care about a 0.1 percent interest rate change but 'will this bank
do the utmost to keep my money and information safe?'" Oerting said.