Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

How Often do Banks Suffer IT Incidents?

We have often blogged about IT incidents within the banking sector and commented upon the frequency of these events; but how common are they?  Since April 2018, UK banks have had to report “Operational and Security Incidents” affecting personal and business current accounts to the FCA if they reach any of the following thresholds:

  • > 10% of transaction affected;
  • > 5000 payment service users affected; and/or
  • > 2 hours service downtime.

The latest figures on the FCA website relate to the period July 2019 to June 2020. Firms report for each of their brands, with the top brand for incidents during this period being Santander with a total of 12.  Beyond that, the picture is less clear: HSBC, First Direct (both part of HSBC Group), Clydesdale Bank, Virgin Money and Yorkshire Bank (all part of CYBG) all report 11 incidents.  This strongly suggests that these were not all separate incidents, rather that these were incidents affecting platforms which impacted across each of the two banking groups.

Once again, it is hard to aggregate incidents because of the way in which they are reported, but broadly it looks like a third of incidents affect mobile banking and a similar number affect internet banking; impacts on telephone banking are significantly less common.

Unsurprisingly, many of the other big brands also feature prominently such as Lloyds Bank and Bank of Ireland with 10 incidents each; and Bank of Scotland, Halifax and Intelligent Finance (all former HBOS brands) all reporting 8 incidents.  Interestingly though, The Coop Bank and Barclays only report 2 incidents each.  However, the fact that Barclays reported 43 incidents in the period April to December 2018 suggests that there may be some issues in comparing figures across time and across different brands.

Overall then we conclude that it is difficult to deduce much with any certainty from the published figures.  However, the fact that banks are now obliged to report these data will hopefully be a driver to improve their IT resilience.  This improvement should be visible over time in the reduced occurrence of high-profile disruptions that hit the headlines.