Up to 20 million people in the UK affected by cyber-attacks on financial services businesses in the last year – 143% increase in attacks in a year

The data belonging to as many as 20.4 million* people has been compromised in cyber-attacks on financial services companies in the last year (year-end Dec 31 2023) – a 143% increase from 8.4million individuals affected in the previous year. Those data breaches included cyber-attacks on banks and pension funds. In the year to June 30 2023, there were 640 cybersecurity breaches at UK financial services firms. Of these, 246 were in the pensions sector alone.

Chaucer says that although financial services companies often have very well developed defences against cyber-attacks they are still attractive targets due to the amount of valuable personal data that they hold.

“The main effort of cyber-attacks on a pension fund or a bank is rarely the theft of assets held by the bank. More often, it is an attempt to steal personal data that can then be resold or held for extortion as part of a ransomware attack.”
“Financial services businesses will often hold huge amounts of data they collect as part of their client onboarding process such as debit and credit card numbers, passports, address information, and other ID documents. This data is highly valuable and is regularly traded on the dark web.”
“Financial services firms are also thought to be more susceptible to the blackmail element of ransomware attacks. If a financial services firm loses its reputation for data security, then it could rapidly lose clients and could impact shareholder trust."
Ben Marsh
Class Underwriter, Chaucer

Hackers have also successfully attacked financial services firms by targeting third-party organisations that financial services providers outsource work to. The Pensions Regulator’s cybersecurity guidance stipulates that trustees are liable for the security of a pension scheme’s assets and data – even if outsourced to a third party.

Companies who fall victim to cyber-attacks can face such substantial losses that they increasingly rely on insurance to cover those costs. Costs can include external IT and data security consultants to fix data security issues and get IT systems back up and running, legal advice, compensation, loss of revenue from their businesses being interrupted and ransomware payments. Whether all of those losses are covered depends on the specifics of the cyberbreach insurance policy.

“Companies are realising more and more that investment in cybersecurity is a continuous cycle of improved protection and protocols to defend against cyber-attacks – especially as cyber criminals evolve their tactics, leveraging emerging technologies such as AI.”
Ben Marsh
Class Underwriter, Chaucer
The number of people affected by cyber data breaches of financial services firms has more than doubled in the past year.

*Source: ICO. May include individuals that had their financial data compromised more than once in different and unrelated data breaches.


Published on 28.05.2024