The most common root causes of cyber and tech incidents - they're not what you might think

The media often widely reports cyber attacks and harm suffered by retail customers, and consumers often hear from the FCA and firms alike most frequently in relation to phishing and credential compromise (as part of broader education campaigns about scams).  You'd be forgiven, then that these are the greatest cyber and tech risks for regulated financial services firms.  But the picture is more nuanced, as revealed in recently published FCA data about cyber and tech incident reports that it receives from firms.

It's true that retail banking generates the majority of reports - but wholesale financial markets come a substantial and surprising second place, with 20% of reports in 2020.

Cyber attacks were the root cause for only 10% of reports.  There were significantly more reports relating to hardware/software issues, third party failures and change management, and process/control failures and simple human error were substantial contributors.  This really suggests that to mitigate commercial (and regulatory enforcement risk) firms should not be neglecting their own systems, processes and controls, employee training, and monitoring and oversight of third party outsourced service providers, drawing guidance in this regard not just from FCA guidance and the observations of the FCA's Cyber Coordination Groups but also from recent enforcement action such as the Raphael's Bank fines.

And there are surprising lessons to be drawn from the statistics on the root cause of cyber incidents in particular.  Phishing and credential compromise is actually declining precipitously as a root cause, and whilst it remains important to allocate resource to mitigating this risk, firms should be devoting at least as much attention to protecting against malware/malicious code, ransomware and other cyber attacks which together underpinned almost 70% of reports.