FCA Updates Cyber Incident and Third-Party Reporting Rules

News

Written by

Photo of Phil Muncaster

Phil Muncaster

UK / EMEA News Reporter, Infosecurity Magazine

The UK Financial Conduct Authority (FCA) has issued new rules designed to give firms more certainty about what cyber‑related incidents to report and when, in order to bolster their cyber and business resilience.

The financial services regulator said the update came after industry feedback that organizations often aren’t clear on what to report and what information to provide when they do.

“Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on,” said FCA director of specialists and wholesale sell-side, Mark Francis.

“These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.”

Read more on FCA: Major Drop in Cyber-Attack Reports from Large UK Financial Businesses.

The new rules cover both internal cyber-related incidents and incidents and outages caused by suppliers/service providers.

The FCA said it had:

  • Created a streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England, featuring a single reporting portal
  • Removed duplicated incident reporting for payment service providers and credit rating agencies
  • Refined the overall information required, allowing most regulated firms to simply complete a short form
  • Added clearer guidance on thresholds, definitions and responsibilities

Third-Party Risk to the Fore

The FCA said the new reporting regime is important at a time when financial services firms are increasingly reliant on third parties.

Citing recent outages at AWS and Cloudflare which affected the industry, it said 40% of the incidents reported to the FCA in 2025 involved a third party.

This trend has been reflected in a growing focus on third-party risk management in the EU’s Digital Operational Resilience Act (DORA) and the UK’s Cyber Security and Resilience Bill currently making its way through parliament.

Firms now have 12 months to prepare for the new reporting regime, which will come into force on March 18, 2027.

The FCA said it will use the data reported to it to share insights that will help firms to improve operational resilience, as well as to keep the industry updated during major outages.

You may also like

  1. EU Agrees 'Cyber Solidarity Act' to Bolster Incident Response and Recovery

    News

  2. Retail Security - Lessons Learned Two Years On

    Magazine Feature

  3. Top 10 Cyber-Attacks of 2025

    News Feature

  4. #Infosec2025: Ransomware Victims Urged to Engage to Take Back Control

    News

  5. ICO: No Further Action on British Library Ransomware Breach

    News

What’s Hot on Infosecurity Magazine?