“Data breach reports to FCA down by 30%” reveals Kroll

Freedom of Information data obtained by Kroll from the FCA shows that the number of reportable cyber incidents where company or personal data was potentially compromised or breached dropped by 30% to 76 in 2020. This compares to 108 during the same time period in 2019.

In reality, the number of data breaches is expected to be far higher, with Kroll’s proprietary data showing that, during the same period, the overall number of incidents impacting UK organisations rose by 56%, in turn leading to an increase in consumer notifications of more than 41% when compared to 2019.

This disparity between official FCA statistics and the reality of the current cyber threat landscape means the increase in the sophistication and volume of attacks is in danger of not being addressed and likely to be linked with changes to data breach reporting as a result of the General Data Protection Regulation (GDPR). 

GDPR requirements are broadly subjective, requiring a determination of an increased risk of harm without a firm definition of what harm is. In the early days following the introduction of the GDPR and its adoption into national legislation, many companies suffering cyber incidents felt compelled to report out of an overabundance of caution. However, more recently it’s fair to state that legal counsels are taking a more robust approach to notification to protect their clients from the reputational and financial damage that often follows.

Expert guidance

Requirements for notifying data protection authorities, consumers and the FCA are each different and call for expert guidance. Therefore, when faced with a breach, companies should consult the right experts qualified to make informed decisions.

Andrew Beckett, managing director and EMEA leader for cyber risk at Kroll, commented: “The regulator’s official figures don’t match up with what we’re seeing on the ground. The pandemic has undoubtedly created more opportunities for cyber criminals so a supposed drop in attacks doesn’t ring true. In an environment where threats are multiplying in number and developing in sophistication, it’s imperative that companies develop and fine-tune their entire incident response approach. Legal counsel, digital forensics, notification provider and crisis communications vendors should be mapped out, agreements negotiated and the entire programme tested at least on an annual basis.”

Beckett added: “The complex regulatory environment and higher public awareness demands careful integration of these privacy and security controls. With criminals extorting customers in a variety of non-technical ways, such as by way of social media, spam calls and customer and media outreach, etc, vigilance needs to be extended across the entire spectrum of digital channels.”

Material increase

Keily Blair, head of Orrick, Herrington & Sutcliffe’s UK cyber, privacy and data innovation team, noted: “Like Kroll, we’ve seen a material increase in the number and severity of cyber security incidents during 2020 and that trend is continuing into 2021. Among other things, the difference between the FCA’s and Kroll’s proprietary data reflects the difference between cyber security incidents and reportable personal data breaches.”

Blair continued: “The GDPR is still a relatively new and complex piece of legislation. Businesses were hyper-vigilant when it came to reporting to the Information Commissioner’s Office and the FCA in the initial stages of its implementation. The drop in the FCA numbers likely reflects the fact that organisations are becoming more adept at assessing whether an incident truly meets the necessary thresholds to trigger a report to the FCA.” 

In conclusion, Blair informed Security Matters: “As such, there’s no doubt that the FCA figures are the tip of the iceberg. The worry is that, by seeing these figures, and without the benefit of knowing what’s happening below the surface, organisations may misinterpret the true nature and extent of the cyber security threat leading to complacency and greater risk.”