[BreachExchange] UK Banks not reporting cyber-attacks

[Audrey McNeil]

http://www.scmagazineuk.com/uk-banks-not-reporting-cyber-
attacks/article/560288/

Many cyber-attacks on large UK banks never go reported according to
experts. Reuters reported that despite the Financial Conduct Authority
reporting a large uptick in reported attacks against banks, reaching 75 so
far this year, many banks are still not reporting those attacks.

The international newswire quoted Shlomo Touboul, chief executive of
Illusive Networks who said that banks often experience millions, sometimes
billions, of ‘events' a month and report only a few.

The UK has no general reporting requirements, meaning that banks aren't
always compelled to tell authorities, or their customers about
cyber-attacks, except in cases of ‘serious breaches'. One might say that
reporting every single attack, given their frequency, would be a waste of
time for the banks and the Information Commissioner's Office (ICO).

Not necessarily, Mark James, security specialist at ESET told
SCMagazineUK.com: “Reporting every one of those attempts would indeed clog
systems with lots of unnecessary information and I'm sure there will be a
lot that never makes the light of day. However, the problem of course is
perceived security, as more and more breaches happen and more malware is
being used to target financial systems, then the damage caused when things
go wrong can be so great decisions will be made to keep it quiet. However,
with the public becoming more aware of the damage caused by lapsed
security, this may influence the decision on who is to look after their
savings and daily finances in the future.”

James added, “the public have a right to know what a company is doing
regarding security and privacy, because only then can they make an informed
decision based on facts.”

This news seems to have come at a relevant time considering that it was
only last Tuesday that the G7, a group of the most powerful countries on
earth, released a set of guidelines for the financial industry on
cyber-security.

The document sets out not rules, but ‘non-binding principles', stating that
sharing information with public bodies and within the sector is paramount
to advancing the health of the sector:

“Sharing broader insights among entities, between entities and public
authorities, and among public authorities deepens collective understanding
of how attackers may exploit sector-wide vulnerabilities that could
potentially disrupt critical economic functions and endanger financial
stability.”

This, the note adds, is also a problem for regulators: “Given its
importance, entities and public authorities should identify and address
impediments to information sharing”.

While the City of London Police declined to comment the National Police
Chief's Council's Lead for Cybercrime offered one. Deputy Chief Constable
Peter Goodman told SC that, “the banking sector actively support our
protect, prepare, prevent and pursue strategy and are directly linked in
with police forces and Regional Organised Crime Units (ROCU's)." Goodman
added that police are actively working with banks on a variety of
initiatives to report crime and protect customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161021/5f527c42/attachment.html>