In order to keep their public images intact, many financial institutions in Britain are choosing not to report the full extent of cyberattacks to regulators.
Bank executives and providers are more concerned about dealing with the punishments or bad publicity that may come from disclosing their cybersecurity vulnerabilities.
In the U.S., companies are forced to report when these types of incidents take place, but under Britain’s Financial Conduct Authority (FCA) provision, companies are only required to report cyberattacks if they believe the event will have a material impact.
“There is a gray area … Banks are, in general, fulfilling their legal obligations, but there is also a moral requirement to warn customers of potential losses and to share information with the industry,” Ryan Rubin, U.K. managing director of security and privacy at Protiviti told Reuters.
According to data from the FCA, the number of reported attacks from banks in Britain has grown from just five in 2014 to 75 so far in 2016.
However, government data shows that private businesses are also very reluctant to report when cybercrime is perpetrated against them.
Just 250,000 cybercrime incidents are reported out of the roughly 5 million fraud and 2.5 million cyberattacks that take place each year.
Though keeping cyberattacks under wraps may help avoid damaged reputations or disgruntled customers, not reporting also keeps regulators in the dark about information that could be helpful to stopping further attacks down the road.
“When I moved from law enforcement to banking and saw what banks knew, the amount of information at their disposal, I thought, ‘Wow.’ I never had that before,” Troels Oerting, group chief information security officer at Barclays and former head of Europol’s Cyber Crime Unit, explained to Reuters.
Oerting noted that banks sharing more information with authorities can make a dramatic difference when it comes to fighting cybercrime.