Report highlights scale of cyber security risks to the collections sector

The Credit Services Association (CSA), the UK trade body for the debt collection and purchase industry, has published a new report highlighting the rising scale, complexity and cost of cyber security risks facing its members, urging them to prioritise resilience as a core operational and governance responsibility.

The report, titled ‘Cyber Security: The Billion Pound Risk’, highlights just how financially and operationally devastating cyber incidents can be, with recent high-profile events demonstrating the far-reaching consequences of operational outages, data breaches and ransomware attacks. The findings follow a period in which the UK has seen a 50% rise in highly significant cyber-attacks, placing unprecedented pressure on firms, their supply chains and consumers.

Drawing on CSA member survey data, the report reveals that while the sector exhibits a great deal of assuredness, there is also recognition that there is scope to enhance preparations. Almost 90% of surveyed members report having cyber insurance in place, but the trade body warns that insurance alone is not enough and must be supported by strong internal controls, proactive monitoring and organisation-wide awareness.

Alongside sector analysis, the report identifies several factors amplifying the threat landscape, including the prevalence of legacy systems, the pace of digital transformation, increased reliance on cloud infrastructure, and the surging accessibility of AI-powered attack tools. It also highlights the urgent need for board-level engagement, routine staff training, and the adoption of recognised security standards.

The report also calls for stronger regulatory oversight of critical third parties to protect entire sectors from systemic outages, clearer regulatory guidance to resolve seemingly conflicting regulatory positions on data retention versus data minimisation, greater clarity on expectations around the use of AI in cyber security risk management and detection, with consideration of the operational risks associated with the Government’s proposed ransomware payment ban.

Daniel Spenceley, CSA Head of Policy and author of the report, said “As cyber-attacks grow in sophistication, businesses of all sizes — not just critical national infrastructure — are exposed to financial, regulatory and reputational harm. The importance of effective cyber governance and awareness is abundantly clear. It is crucial that firms take a proactive, structured and well-governed approach to protecting themselves and the consumers they serve.”

“We cannot allow cyber criminals to exploit weaknesses in systems, processes or governance. Firms must invest now to protect themselves — and regulators and policymakers must ensure the wider framework supports resilience across all sectors.”