UK banks are reportedly failing to disclose the full extent of the number and nature of security incidents they are experiencing due to a fear of financial punishment and negative publicity.
Banking execs and security experts have stated that the banks are using grey areas in reporting structures in order to downplay the extent of which they are being targeted on a daily basis.
According the UK’s financial regulation authority, the FSA, where banks have an obligation to report any incident to, have claimed last month that last year there were only a total of 75 incidents.
This in itself is a marked increase from the declared 27 in 2015 and 5 in 2014. Any active members of the security industry will recognize these figures as incredibly low and unrealistic given the nature of today’s security and malware environment.
“Banks are dramatically under-reporting attacks, they do what’s legally required but out of embarrassment or fear of punishment they aren’t giving the whole picture,” was the claim from an anonymous source within the cyber security space of the banking sector.
Mark James, a security specialist from ESET stated “Reporting every one of those attempts would indeed clog systems with lots of unnecessary information and I’m sure there will be a lot that never makes the light of day,”
He went on to add “However, the problem of course is perceived security, as more and more breaches happen and more malware is being used to target financial systems, then the damage caused when things go wrong can be so great decisions will be made to keep it quiet. However, with the public becoming more aware of the damage caused by lapsed security, this may influence the decision on who is to look after their savings and daily finances in the future.”
These figures could be set to change as the reporting parameters are expected to be tightened with the imminent EU General Data Protection Regulation (GDPR) which will introduce a mandatory reporting structure that all UK banks and lenders will be compelled to comply with.
This will require mandatory notification within 72 hours of security breaches and will instate the possibility of fines of up to £18M GBP or 4% of annual turnover for what’s deemed as a serious non-compliance and infractions.
Written by: Steven Boyd
Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.
(Security Affairs – security breaches, cyber security)