UK banks failing to report ‘constant’ cyber attacks

Mr Touboul cites the example of one large, global financial institution with which he works. It experiences more than 2bn such “events” a month, ranging from an employee receiving a malicious email to system-generated alerts of attacks or glitches.

Machine defences filter those down to 200,000, before a human team cuts that to 200 “real” events a month, he added.

Banks are not obliged to reveal every such instance, as cyber-attacks fall under the FCA’s provision for companies to report any event that could have a material impact, unlike in the US, where forced disclosure makes reporting more consistent.

“There is a gray area...Banks are, in general, fulfilling their legal obligations, but there is also a moral requirement to warn customers of potential losses and to share information with the industry,” Ryan Rubin, UK managing director of security and privacy at consultant, Protiviti, said.

Banks are not alone in their reluctance to disclose every cyber-attack. Of the 5m fraud and 2.5m cyber-related crimes occurring annually in the UK, only 250,000 are being reported, government data show.

But while saving companies from bad publicity or worried customers, failure to report more serious incidents, even when they are unsuccessful, deprives regulators of information that could help prevent further attacks.

A report published in May, by Marsh and industry lobby group, TheCityUK, concluded that Britain’s financial sector should create a cyber-forum, comprising bank-board members and risk officers to promote better information-sharing.

Security experts said that while reporting of all low-level attacks, such as email “phishing” attempts, would overload authorities with unnecessary information, some banks are not sharing data on more harmful intrusions, because of concerns about regulatory action or damage to their brand.

The most serious, recent known attack was on the SWIFT messaging network, in February.