The FCA has amended its rules on cyber attacks to make existing incident and third party reporting clearer requirements, more consistent and easier for firms to follow.
The new rules will come into force on 18 March 2027.
The regulator said the new rules will help it respond more quickly to disruption caused by cyber attacks, as well as giving firms greater clarity on what they need to report and when.
In 2025, over 40% of cyber incidents reported to the FCA involved a third party.
In December 2024 the regulator consulted on clearer reporting frameworks for reporting cyber attacks.
It has now:
- Created a streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England, including a single reporting portal
- Removed duplicative incident reporting for payment service providers and credit rating agencies
- Refined the overall information required, allowing most of the firms it solo regulates to complete a short form to tell it about their incident
- Added clearer guidance on thresholds, definitions and responsibilities
Mark Francis, director of specialists and wholesale sell-side at the FCA, said: “Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on.
“These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.”
Access the guidance for incident reports and third-party reporting on the FCA website.
The new guidance includes examples of what firms should report, help applying the thresholds, and guidance on completing the incident form and third party register.
The FCA said it would review its new cyber rules in 2029, two years after implementation.