Britain's banks are not reporting the full extent of cyber attacks to regulators for fear of punishment or bad publicity, a recent story by Reuters has shown.
Reported attacks on financial institutions in Britain have risen from just 5 in 2014 to 75 so far this year, data from Britain's Financial Conduct Authority [FCA] show. However, bankers and experts in cyber-security say many more attacks are taking place. In fact, banks are under almost constant attack.
Banks are not obliged to reveal every such instance as cyber attacks fall under the FCA's provision for companies to report any event that could have a material impact, unlike in the U.S. where forced disclosure makes reporting more consistent.
Banks are not alone in their reluctance to disclose every cyber attack. Of the five million fraud and 2.5 million cyber-related crimes occurring annually in the UK, only 250,000 are being reported, government data show. A report published in May by Marsh and industry lobby group TheCityUK concluded that Britain’s financial sector should create a cyber forum comprising bank board members and risk officers to promote better information sharing.
Security experts said that while reporting all low level attacks such as email "phishing" attempts would overload authorities with unnecessary information, some banks are not sharing data on more harmful intrusions because of concerns about regulatory action or damage to their brand.
The most serious recent known attack was on the global SWIFT messaging network in February, but staff from five firms that provide cyber security products and advice to banks in Britain told Reuters they have seen first-hand examples of banks choosing not to report breaches, despite the FCA making public pleas for them to do so, the most recent in September.
The Bank of England has declined to comment and the FCA has also not responded to requests for comment from journalists.