Tue, May 4, 2021

Data Breach Reports to FCA Down 30% Despite UK Cyber Incidents Increasing 56%

Number of data breaches reported dropped 30% between 2019 and 2020, according to FCA data, while Kroll data reveals 56% growth in incidents for same period

Drop in FCA figures masks increase in sophistication and volume of cyber attacks

London– Kroll, the world’s premier provider of services and digital products related to governance, risk and transparency, today reveals the number of data breaches reported to the FCA fell by 30% between 2019-2020. This is a direct contradiction to Kroll’s own data which, looking at all industries, showed a 56% average rise in incidents over the same timeframe, with the financial services industry being slightly above that average.

Freedom of Information data obtained by Kroll from the FCA shows that the number of reportable cyber incidents where company or personal data was potentially compromised or breached dropped 30% to 76 in 2020, compared to 108 during the same time period in 2019 (Figure 1).

In reality, the number of data breaches is expected to be far higher, with Kroll’s proprietary data showing that during the same period the overall number of incidents impacting UK organisations rose 56%, leading to an increase in consumer notifications of more than 41% when compared to 2019.

Data Breach Reports to FCA Down 30% Despite UK Cyber Incidents Increasing 56%

Figure 1 – Comparison of data breaches reported to the FCA in 2020 and 2019

This disparity between official FCA statistics and the reality of the current cyber threat landscape means the increase in the sophistication and volume of attacks is in danger of going unaddressed, and is likely to be linked with changes to data breach reporting as a result of GDPR.

GDPR requirements are broadly subjective, requiring a determination of an increased risk of harm without a firm definition of what harm is. In the early days following the introduction of GDPR and its adoption into national legislation, many companies suffering cyber incidents felt compelled to report out of an overabundance of caution. However, more recently, legal counsels are taking a more robust approach to notification to protect their clients from the reputational and financial damage that often follows.

Requirements for notifying data protection authorities, consumers and the FCA are each different and call for expert guidance. Therefore, when faced with a breach companies should consult the right experts qualified to make informed decisions.

Andrew Beckett, Managing Director and EMEA Leader, Cyber Risk, Kroll, comments: “The regulator’s official figures don’t match up with what we’re seeing on the ground. The pandemic has undoubtedly created more opportunities for cyber criminals, so a supposed drop in attacks doesn’t ring true.”

“In an environment where threats are multiplying in number and developing in sophistication, it is imperative that companies develop and fine-tune their entire incident response approach. Legal counsel, digital forensics, notification provider and crisis communications vendors should be mapped out, agreements negotiated and the entire program should be tested at least annually.”

“The complex regulatory environment and higher public awareness demands careful integration of these privacy and security controls, and with criminals extorting customers in a variety of non-technical ways (social media, spam calls, customer and media outreach, etc.), vigilance needs to be extended across the entire spectrum of digital channels.”

Keily Blair, Head of Orrick, Herrington & Sutcliffe’s UK Cyber, Privacy and Data Innovation team, noted that: "Like Kroll, we have seen a material increase in the number and severity of cyber security incidents during 2020 and that trend is continuing into 2021. The difference between the FCA and Kroll's proprietary data reflects, among other things, the difference between cyber security incidents and reportable personal data breaches.

The GDPR is still a relatively new and complex piece of legislation and we certainly saw businesses being hyper-vigilant when it came to reporting to the ICO and the FCA in its initial stages of implementation. The drop in the FCA numbers likely reflects that organizations are becoming more adept at assessing whether an incident truly meets the necessary thresholds to trigger a report to the FCA.

As such there is no doubt that the FCA figures are the tip of the iceberg. The worry is that by seeing these figures, without the benefit of knowing what is happening below the surface, organizations may misinterpret the true nature and extent of the cyber security threat leading to complacency and greater risk. "

About Kroll
Kroll is the world’s premier provider of services and digital products related to valuation, governance, risk and transparency. We work with clients across diverse sectors in the areas of valuation, expert services, investigations, cyber security, corporate finance, restructuring, legal and business solutions, data analytics and regulatory compliance. Our firm has nearly 5,000 professionals in 30 countries and territories around the world. For more information, visit www.kroll.com.

Further Information (Journalists Only)

Media Enquiries 
Alex Eyre
07540 282 762
[email protected]

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Data Breach Notification Letters

Kroll will work with your team to implement a personalized, plain-language notification letter that provides pertinent information and maintains message control.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?

Incident Response Tabletop Exercises

Kroll’s field-proven incident response tabletop exercise scenarios are customized to test all aspects of your response plan and mature your program.

Identity Monitoring

Kroll’s unique combination of identity monitoring services can detect more types of identity theft than credit monitoring alone, providing practical help to combat identity theft and fraud.