Cyber security for financial services firms

Operational resilience requirements

The FCA and PRA operational resilience framework requires you to:

• Identify your Important Business Services (IBS): Services that, if disrupted, would cause intolerable harm to consumers, threaten your firm's viability, or undermine market integrity
• Set impact tolerances: Maximum acceptable levels of disruption for each IBS (measured in time, customer impact, and financial metrics)
• Map dependencies: Understand all people, processes, technology, facilities, and third parties your IBS rely on
• Scenario test: Regularly test whether you can remain within impact tolerances during severe but plausible disruption scenarios, including cyber attacks

Cyber security baseline

The FCA expects all regulated firms to implement foundational cyber security controls. While the FCA does not mandate specific technical standards, it recommends firms adopt the NCSC's guidance as a baseline. Cyber Essentials certification demonstrates you have addressed the most common attack vectors.

SM&CR cyber responsibilities

Under the Senior Managers and Certification Regime, specific individuals are accountable for cyber security. You must allocate clear responsibility for:

• Overall accountability: A Senior Manager must be responsible for operational resilience, which includes cyber security
• Technology and systems: SMF24 (Chief Operations function) typically covers IT infrastructure and cyber controls
• Risk management: SMF4 (Chief Risk Officer) should oversee cyber risk within the broader risk framework

Your Statements of Responsibilities must clearly document who is accountable for cyber security. If a cyber incident occurs and accountability is unclear, the FCA will scrutinise your governance arrangements.

Key requirement: Report significant cyber incidents to the FCA within 24 hours through the normal notification process. You should also report to the ICO within 72 hours if personal data is compromised.

Third-party and outsourcing requirements

The FCA has identified unregulated third parties as the primary source of operational incidents affecting financial services firms. If you outsource any part of your operations - including cloud services, IT support, or business process outsourcing - you remain fully responsible for regulatory compliance.

Before engaging third parties that support your Important Business Services:

• Due diligence: Assess their cyber security maturity, including certifications, incident history, and security controls
• Contractual protections: Include rights to audit, security requirements, incident notification obligations, and exit provisions
• Ongoing monitoring: Regularly review third-party performance and security posture - do not rely solely on initial due diligence
• Exit planning: Ensure you can transition services to an alternative provider if the relationship ends or the third party fails

The FCA's outsourcing rules in SYSC 8 require firms to maintain oversight of material outsourcing arrangements. For cloud services, this includes understanding where your data is processed and ensuring you can meet your regulatory obligations regardless of where systems are hosted.

Incident reporting obligations

Financial services firms have multiple reporting obligations when cyber incidents occur:

FCA notification: Principle 11 (Relations with regulators) requires you to notify the FCA of anything that could significantly affect your ability to meet your regulatory obligations. For significant cyber incidents, notify within 24 hours via SUP 15 notification.

ICO notification: If a cyber incident involves personal data, report to the ICO within 72 hours of becoming aware of the breach if it poses a risk to individuals.

Action Fraud: Report cyber crimes to Action Fraud (or Police Scotland if based in Scotland).

What constitutes a significant incident?

• Any incident affecting your Important Business Services
• Loss or compromise of customer data
• Ransomware or other malware infections
• Prolonged system outages affecting customers
• Incidents requiring third-party forensic investigation

Preparing for DORA-style requirements

The EU's Digital Operational Resilience Act (DORA) came into force in January 2025 for EU financial services firms. While the UK is not directly subject to DORA, the FCA and PRA have indicated they will consult on similar ICT and cyber risk management requirements.

Key areas likely to be addressed in future UK rules:

• ICT risk management framework: Formal policies and procedures for managing technology risk
• Digital operational resilience testing: More prescriptive requirements for testing cyber defences
• Third-party risk management: Enhanced due diligence and oversight of critical ICT providers
• Information sharing: Arrangements for sharing cyber threat intelligence

If you operate across the UK and EU, you will need to comply with DORA for your EU operations while meeting UK requirements separately. The FCA has signalled it will aim for broad consistency with international standards while adapting rules to the UK context.

What to do now

If you have not yet achieved full compliance with operational resilience requirements:

1. Complete IBS mapping: Identify all Important Business Services and document end-to-end dependencies
2. Set and test impact tolerances: Define maximum tolerable disruption periods and validate through scenario testing
3. Review third-party arrangements: Ensure contracts include appropriate security requirements and audit rights
4. Update Statements of Responsibilities: Confirm SM&CR accountability for cyber security is clearly documented
5. Conduct cyber scenario testing: Test your response to realistic cyber attack scenarios at least annually
6. Document everything: The FCA expects to see evidence of your operational resilience work, including board engagement