Data breach reports in Finance and Insurance sectors up 74% in two years

Data breaches in the finance, insurance and credit sectors reported to the United Kingdom’s Information Commissioner’s Office (ICO) increased by 74 percent in the past two years.

Reports in the legal sector rose 112 percent. The data was gathered and published by Kroll, though a request made under the Freedom of Information Act, and analysis of publicly available ICO data.

Interestingly, Kroll’s analysis reveals that risks posed by human error were greater compared the threat posed by cyber attacks. In the past year 2,124 reports were attributed to human error, compared to just 292 that were deliberate cyber incidents.

According to Kroll, the most common types of incidents due to human error include data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). The loss or theft of unencrypted devices (133) is another common reason.

Of the deliberate cyber incidents reported, specific circumstances logged include unauthorised access (102 incidents), malware (53), phishing attacks (51) and ransomware (33).

Kroll says the increase in reports indicates that organisations have been gearing up for a new era of transparency around data breaches under the General Data Protection Regulation (GDPR), which came into force in May.

It expects both the number of reports and value of fines issued to increase significantly under the new regulation, creating much greater regulatory and reputational risks for businesses.

Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, said, “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK.

“The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.”

He added, “We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20 million or 4 percent of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”

Indeed, the loss of reputation for non-compliance to the changing governing landscapes - including failure to adhere to new regulations - was highlighted at an ICC Financial Investigation Bureau (FIB) conference held in Kuala Lumpur, Malaysia recently.

In his keynote speech at the International Financial Crime and Money Laundering Forum, David Hughes, Partner at Stewarts Law LLP spoke about how the loss of reputation for non-compliance can be extremely high for businesses and that negligence can result in not just civil, but criminal penalties as well.

Hughes said even if a business survives financial upheaval, it may not survive the reputational consequences, which could include loss of shareholder faith, loss of public faith, removal of practicing licences and blacklisting in respect of public tenders.

More information about FIB can be found at https://www.icc-ccs.org/icc/fib

Top 10 sectors for data breach reports, 2017/18 and percentage changes over two years

Source: Kroll

Data breach reports arising from specific kinds of cyber incident

Source: Kroll

Data breach reports arising from specific kinds of human error

Source: Kroll