Guide
Cyber security for financial services firms
FCA operational resilience requirements for cyber security, including the 31 March 2025 compliance deadline, SM&CR responsibilities for cyber risk, third-party outsourcing requirements, and preparing for DORA-style regulations.
If you operate an FCA-regulated financial services firm, cyber security is not optional - it is a core regulatory obligation. The FCA expects all authorised firms to have robust cyber defences proportionate to the nature and scale of their business.
The operational resilience rules that came into force in March 2022 require firms to demonstrate they can prevent, respond to, and recover from cyber incidents. The deadline to meet full compliance was 31 March 2025.
Operational resilience requirements
The FCA and PRA operational resilience framework requires you to:
- Identify your Important Business Services (IBS): Services that, if disrupted, would cause intolerable harm to consumers, threaten your firm's viability, or undermine market integrity
- Set impact tolerances: Maximum acceptable levels of disruption for each IBS (measured in time, customer impact, and financial metrics)
- Map dependencies: Understand all people, processes, technology, facilities, and third parties your IBS rely on
- Scenario test: Regularly test whether you can remain within impact tolerances during severe but plausible disruption scenarios, including cyber attacks
Cyber security baseline
The FCA expects all regulated firms to implement foundational cyber security controls. While the FCA does not mandate specific technical standards, it recommends firms adopt the NCSC's guidance as a baseline. Cyber Essentials certification demonstrates you have addressed the most common attack vectors.
For financial services firms, these baseline controls are the minimum expectation. You should also consider:
- Penetration testing: Regular external and internal testing by accredited providers
- Threat-led penetration testing (TLPT): The FCA considers this an extremely effective tool for identifying unknown vulnerabilities in your most critical systems
- Security Operations Centre (SOC): 24/7 monitoring capability, whether in-house or outsourced
- Incident response planning: Documented procedures for detecting, containing, and recovering from cyber incidents
SM&CR cyber responsibilities
Under the Senior Managers and Certification Regime, specific individuals are accountable for cyber security. You must allocate clear responsibility for:
- Overall accountability: A Senior Manager must be responsible for operational resilience, which includes cyber security
- Technology and systems: SMF24 (Chief Operations function) typically covers IT infrastructure and cyber controls
- Risk management: SMF4 (Chief Risk Officer) should oversee cyber risk within the broader risk framework
Your Statements of Responsibilities must clearly document who is accountable for cyber security. If a cyber incident occurs and accountability is unclear, the FCA will scrutinise your governance arrangements.
Key requirement: Report significant cyber incidents to the FCA within 24 hours through the normal notification process. You should also report to the ICO within 72 hours if personal data is compromised.
Third-party and outsourcing requirements
The FCA has identified unregulated third parties as the primary source of operational incidents affecting financial services firms. If you outsource any part of your operations - including cloud services, IT support, or business process outsourcing - you remain fully responsible for regulatory compliance.
Before engaging third parties that support your Important Business Services:
- Due diligence: Assess their cyber security maturity, including certifications, incident history, and security controls
- Contractual protections: Include rights to audit, security requirements, incident notification obligations, and exit provisions
- Ongoing monitoring: Regularly review third-party performance and security posture - do not rely solely on initial due diligence
- Exit planning: Ensure you can transition services to an alternative provider if the relationship ends or the third party fails
The FCA's outsourcing rules in SYSC 8 require firms to maintain oversight of material outsourcing arrangements. For cloud services, this includes understanding where your data is processed and ensuring you can meet your regulatory obligations regardless of where systems are hosted.
Incident reporting obligations
Financial services firms have multiple reporting obligations when cyber incidents occur:
FCA notification: Principle 11 (Relations with regulators) requires you to notify the FCA of anything that could significantly affect your ability to meet your regulatory obligations. For significant cyber incidents, notify within 24 hours via SUP 15 notification.
ICO notification: If a cyber incident involves personal data, report to the ICO within 72 hours of becoming aware of the breach if it poses a risk to individuals.
Action Fraud: Report cyber crimes to Action Fraud (or Police Scotland if based in Scotland).
What constitutes a significant incident?
- Any incident affecting your Important Business Services
- Loss or compromise of customer data
- Ransomware or other malware infections
- Prolonged system outages affecting customers
- Incidents requiring third-party forensic investigation
Preparing for DORA-style requirements
The EU's Digital Operational Resilience Act (DORA) came into force in January 2025 for EU financial services firms. While the UK is not directly subject to DORA, the FCA and PRA have indicated they will consult on similar ICT and cyber risk management requirements.
Key areas likely to be addressed in future UK rules:
- ICT risk management framework: Formal policies and procedures for managing technology risk
- Digital operational resilience testing: More prescriptive requirements for testing cyber defences
- Third-party risk management: Enhanced due diligence and oversight of critical ICT providers
- Information sharing: Arrangements for sharing cyber threat intelligence
If you operate across the UK and EU, you will need to comply with DORA for your EU operations while meeting UK requirements separately. The FCA has signalled it will aim for broad consistency with international standards while adapting rules to the UK context.
What to do now
If you have not yet achieved full compliance with operational resilience requirements:
- Complete IBS mapping: Identify all Important Business Services and document end-to-end dependencies
- Set and test impact tolerances: Define maximum tolerable disruption periods and validate through scenario testing
- Review third-party arrangements: Ensure contracts include appropriate security requirements and audit rights
- Update Statements of Responsibilities: Confirm SM&CR accountability for cyber security is clearly documented
- Conduct cyber scenario testing: Test your response to realistic cyber attack scenarios at least annually
- Document everything: The FCA expects to see evidence of your operational resilience work, including board engagement