The UK watchdog the FCA (Financial Conduct Authority) has brought out rules for financial firms to report cyber incidents and disruptions involving others. The FCA worked with another regulator the Prudential Regulation Authority (PRA) and Bank of England on the rules, which firms have 12 months to prepare before they come into force in March 2027..
Mark Francis, director of specialists and wholesale sell-side at the FCA, said: ‘Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on. These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.’ He’s due to be among speakers at an FCA webinar on operational resilience on April 29.
As for incidents affecting the financial services sector due to others, the FCA points to recent high-profile Cloudflare incident; and AWS outage.
Comment
Michael Murphy, deputy CTO at Arqit said:ย โThe FCAโs latest guidance reflects how operational risk is changing across the financial sector. As firms rely more heavily on third-party providers, resilience is no longer just about protecting internal systems โ it extends across a much wider and often more complex digital supply chain.
โClearer rules around incident and third-party reporting are a positive step. They should help firms respond more quickly to disruption and give regulators better visibility into emerging risks. But they also highlight a deeper issue. If a growing share of incidents originate outside a firmโs direct control, then reporting alone can only go so far. The real challenge is maintaining control over critical data and services even when they sit on infrastructure or platforms operated by someone else.
โEncryption is playing a much bigger role than many organisations realise. If organsiations keep control of the keys and access policies protecting their data, they can operate on shared or third-party infrastructure without giving up control. Thatโs why approaches likeย confidential computing are gaining traction โ because they allow sensitive workloads to remain protected even while they are being used. As digital supply chains expand, resilience will increasingly depend on exactly this kind of protection layer, ensuring financial institutions remain responsible for the data and services their customers depend on.โ
