At the beginning of the year (2021), the world realised that we had not completely put the unprecedented challenges of the previous year behind us. The healthcare industry continued to battle the COVID-19 pandemic, whilst suffering in parallel with increasingly sophisticated cyber attacks. The ransomware attackers that propagated in 2020 are as rife as ever, illustrated by the increasingly damaging techniques and processes employed.
In VMware’s 2021 Global Incident Response Threat Report, it is reported that cybercriminals now use the method of manipulating reality in their attempts to execute cyber-attacks. And, as a result of increasing remote-work environments over the last 18 months, around 32% of attackers are using business communication platforms such as Microsoft Teams, Zoom and Skype, to navigate around an environment and launch sophisticated attacks. You can learn more in our highlights of Verizon’s latest Data Breach Report. This year’s report is the biggest one yet, with the Verizon team analysing 5,258 data breaches from organisations around the world. The 2021 installment also shines a light on how the COVID-19 pandemic altered online criminal activity.
According to an article by the BBC in 2019, cyber incident reports for the UK finance sector spiked by 1000% in 2018. This data was based on a Freedom of Information (FOI) request to the Financial Conduct Authority (FCA). The article stated that ‘consumer bank accounts accounted for nearly 60% of the reports submitted to the FCA last year’. A headline like this, raising fears of hackers stealing your life savings is certainly attention-grabbing. Yes, cyber-crime is on the increase and we’ve written a blog on it, but on closer inspection of this report, cyber-attacks accounted for only 11% of the cyber incidents reported, so what were the other 89%? We thought this article begs a very good question; what is a cyber-incident? And when should you report it?
According to the National Cyber Security Centre (NCSC), A cyber incident is:
“a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”
Out of the 819 cyber-incidents reported to the FCA in 2018, 93 were confirmed as a type of cyber-attack such as DDoS, Malware or Ransomware of which the majority, not surprisingly, were phishing attacks. However, the most frequent incidents at 174 out of 819, were third-party failures.
I found this article dating back to April 2017 which refers specifically to the issue of UK firms not being prepared for third-party failures and at the same time having an over-reliance on third parties. This figure seems to suggest that not a lot has improved here although, in the 2 years since this article, I would say that businesses have been further pushed towards third party cloud services as that industry has grown, so the important takeaway here is that management of third-party suppliers is in need of improvement. For a full review of how to manage your suppliers, I suggest you read our supply chain security guide.
The second highest cause of cyber-incidents at 157 were issues with hardware and software, which cause service disruption. Again, reliance on third parties and third-party products and services is an area of security risk to be managed.
When to report a cyber-incident
Creating an incident response plan can help you to strategize your communication plans in the event of an incident. When to report a cyber incident and who to, varies depending on the consequences of the event and the industry.
Operators of Essential Services (OES) fall under the Network and Information Systems (NIS) Regulations along with other services critical to the economy and wider society such as water, transport, energy, healthcare and Digital infrastructure. NIS regulations came into force in May 2018 just before GDPR, though with a lot less fanfare.
OES’ have breach reporting obligation under NIS. The banking sector falls within NIS and cyber incidents must be reported to the FCA, under NIS Regulations, when computer systems and the digital data stored and processed within them is compromised.
Under the UK General Data Protection Regulation, if a cyber incident results in “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”, the data controller must inform the ICO within 72 hours using the GDPR process, if there is deemed a risk to the rights and freedoms of individuals. If the risk is high, the breach must also be reported to the affected data subjects.
Non-compliance with GDPR can risk a fine up to £17 million or 4% of annual turnover whichever is greater but the costs to the organisation, separate to any fine levied, may be significant and include the cost of reputational damage and lost business. Non-compliance with the NIS Regulations risks a fine of up to £17 million also. The GDPR and NIS are separate laws so it is possible that a single cyber-incident that infringes both sets of regulations could lead to double enforcement action from both the ICO and the relevant NIS competent authority.
The increased reporting of cyber-incidents in the finance sector over 2019 is undoubtedly linked to the introduction of the GDPR and NIS regulations in May 2018. Uncertainty regarding what needs to be reported has led to a belt and braces approach by firms fearful of falling foul of the new laws.
We have experience advising organisations with GDPR and NIS compliance. If you would like to discuss your compliance obligations, please contact us.
Quick Enquiry Form