THE UK Financial Conduct Authority has issued new rules to clarify what cyber-related incidents firms must report and when, aiming to boost cyber and business resilience. The update comes after feedback that organisations are often unclear about reporting requirements and information to provide.
According to FCA director of specialists and wholesale sell-side, Mark Francis, “Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on,” and the changes give firms clearer rules and practical guidance.
The new regime covers internal cyber incidents and outages caused by suppliers, with a streamlined reporting system created with the Prudential Regulation Authority and Bank of England, featuring a single portal, plus removal of duplicated reporting for payment service providers and credit rating agencies. The FCA notes that 40% of incidents reported in 2025 involved a third party, and firms have 12 months to prepare for the regime, which comes into force on 18 March 2027.