UK financial regulators have come up with a single portal for incident and third party reporting. The watchdog the FCA points to high-profile incidents affecting the financial services sector such as Cloudflare and AWS outage.
Mark Francis, director of specialists and wholesale sell-side at the Financial Conduct Authority (FCA), said: ‘Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on. These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.’
Firms have until March 2027 before the new rules come into force.
Comment
Ben Gibbins, Head of Financial Services, Insurance and Legal at Orange Cyberdefense said that the newly published policy is distinct from the EUโs DORA regulation. He said: “Both follow the same ethos and emphasise the need to bolster collaboration on incident response and third party risk management (TPRM) across the FS&I [financial services and insurance] sector. However, there are distinct differences, including prescriptive requirements, that FS&I firms will need to understand, interpret and embed into their ongoing governance, risk and compliance policies and processes.
“While many UK FS organisations will have undertaken steps to be compliant with DORA, they must not assume this is a copy and paste situation. And for other organisations without any footprint in mainland Europe, this policy could require a significant uplift in their incident response and third party risk management capabilities. With exactly 12 months to comply, FS&I organisations must begin taking stock of what is needed immediately; delaying action could see a last minute scramble early next year, and even result in some missing the March 2027 deadline altogether.
“The new rules are part of a global trend where regulators, cybersecurity authorities and threat intelligence leaders have been sounding the alarm on the risks to our Critical National Infrastructure posed by interconnected supply chains, and exacerbated by growing geopolitical tensions. We are in a position where one misplaced click on the wrong link could paralyse an entire society, and with 40 per cent of incidents reported to the FCA in 2025 involving at least one third party and the trend showing no signs of slowing, itโs only a matter of time until the resilience of the UKโs financial systems is truly tested.
“However, regulators cannot address systemic supply chain risks on their own. Addressing the systemic supply chain risks to the UK and global financial systems will require collaboration across firms and partnerships with innovative private companies. We encourage the Regulators to work with leading, innovative TPRM providers who have been building collaboration forums and the capabilities to identify concentration risks, so that the information they collect can be used as effectively as possible.”
