Reference Case Number: FOI9146
Freedom of Information: Right to know request:
The number of [cyber attack] incidents which were reported to the FCA nd recorded using the following tags:
1) Cyber – 3rd Party
2)Cyber – Malware
3)Cyber – Phishing
Please provide this data broken down by month.
FCA response:
We can confirm that we hold the requested information, which can be found in Annex A below.
By way of context, it may be helpful to explain that we hold centralised records on major operational incidents reported to the FCA by individual firms under SUP 15.3 and Principle 11. This includes incidents that are a result of cyber-attacks.
Where a firm has notified the FCA of a cyber-attack, the FCA can record the root cause component / vectors of those cyber-attacks in the following way:
- Cyber – 3rd Party
- Cyber – Malware
- Cyber – Phishing
- Cyber – Ransomware
As requested, the figures in Annex A, include incidents which were reported to the FCA and recorded using the ‘Cyber – 3rd Party’, ‘Cyber – Malware’ and ‘Cyber – Phishing’ tags in 2021, broken down by month.
Please note that:
- the figures below do not include cyber incidents at FCA regulated firms that have not been reported directly to the FCA; and
- all data is accurate as of 30 March 2022 and are subject to change due to the ongoing investigations of incidents.
Annex A
1.Cyber – 3rd Party
|
Month (2021) |
Number or cyber incidents reported that involves an incident at a 3rd party supplier |
|---|---|
|
January |
5 |
|
February |
1 |
|
March |
13 |
|
April |
2 |
|
May |
0 |
|
June |
1 |
|
July |
4 |
|
August |
0 |
|
September |
7 |
|
October |
4 |
|
November |
1 |
|
December |
0 |
|
Total Number |
38 |
2.Cyber – Malware
|
Month (2021) |
Number or cyber incidents reported that involves malware |
|---|---|
|
January |
0 |
|
February |
1 |
|
March |
2 |
|
April |
2 |
|
May |
2 |
|
June |
1 |
|
July |
1 |
|
August |
0 |
|
September |
0 |
|
October |
1 |
|
November |
0 |
|
December |
0 |
|
Total Number |
10 |
3.Cyber – Phishing
|
Month (2021) |
Number or cyber incidents reported that involves phishing/credential compromise |
|---|---|
|
January |
5 |
|
February |
4 |
|
March |
3 |
|
April |
6 |
|
May |
3 |
|
June |
3 |
|
July |
1 |
|
August |
3 |
|
September |
1 |
|
October |
3 |
|
November |
3 |
|
December |
1 |
|
Total Number |
36 |