Figures obtained in a Freedom of Information Act (FOIA) disclosure by the Information Commissioner's Office (ICO) have revealed a notable three-fold increase over the last year in self-reported cyber-related personal data breaches to the ICO by financial services organisations.
In total, nearly a thousand cyber security breaches affecting personal data have been reported in the last two years. 731 breaches were reported between June 2022 and June 2023 - a significant increase from the 261 cases reported between June 2021 and June 2022. However, the ICO is yet to fine any financial services company under the GDPR and the UK GDPR.
The GDPR (and, since Brexit, the UK GDPR) obliges any company which has suffered a "personal data breach" to report it to the ICO within 72 hours, unless it is "unlikely to result in a risk to the rights and freedoms" of individuals affected.
If an ICO investigation finds that the breach was as a result of a failure to have appropriate security measures in place, the company involved could face a range of sanctions, ranging from informal advice, to a fine of up to £17.5 million or 4% of global annual turnover, whichever is higher.
The significant increase in incidents reported to the ICO indicates the current risks to companies, and, more importantly, their customers, from malicious cyber attacks, but also highlights that many businesses may have inadequate security measures in place.
Jon Baines, Senior Data Protection Specialist at Mishcon de Reya, commented: "The ICO hasn't speculated on why there has been such a big increase in reports. It could be that cyber criminals are targeting the financial services sector even more intensely than previously. Personal data breaches of any kind, but particularly cyber incidents, put customers of companies in the sector at potential risk of fraud and identity theft.
"Although the ICO has not tended to issue fines for failings in this area, the increase in reported incidents could – and possibly should - lead to a review of that approach. In any case, fines remain a risk for the most serious of incidents, as does the possibility of legal claims from customers. And just as important for financial services companies is the reputational harm that can result.
"Businesses in the sector should regularly review their security arrangements to be sure they are up to scratch. But they also need to be aware that not every incident has to be reported to the ICO - a malicious attack that does not result in a risk to customers is unlikely to need reporting. It is important to do a proper – and prompt – risk assessment of any security incident, and where necessary, take appropriate professional and legal advice."