The FCA has teamed up with the Bank of England and Prudential Regulation Authority for a new paper
The FCA has updated its cyber disruption guidance for regulated firms, including how firms should respond to disruption at a third party, following several recent high profile internet outages and cyber attacks.
Earlier this month cloud data provider Amazon Web Services saw nine hours of disruptions, with the infrastructure issues impacting hundreds of global businesses including Hargreaves Lansdown, Lloyds, and Bank of Scotland, the Gov.uk website and HMRC.
This week the FCA updated its existing operational resilience guidance to regulated firms to include more details on what it considers an effective response and recovery after cyber disruption.
It also reminded firms that they have had to comply with its operational resilience rules since 31 March this year.
This is not the first time technical issues with suppliers have beset large swathes of businesses. In July 2024 US cybersecurity firm Crowdstrike caused a global IT outage disrupting the internet services of 8.5m Microsoft Windows devices.
The FCA said it had observed how firms responded to the Crowdstrike incident and engaged with regulated firms to understand the impact the outage had on firms, the market and operational responses.
It also shared guidance, developed with the Bank of England and the Prudential Regulation Authority, designed to help firms prepare for the potential impact of cyber disruptions.
While the new cross-regulator guidance primarily shares examples from larger firms, the regulators said that the underlying principles were relevant to all regulated firms.
The guidance said firms needed to consider the risk of cyber disruptions on an ongoing basis.
It said: “Operational resilience is not a one-off compliance activity. The value of individual technical capabilities is realised not when they are considered as an end in themselves, but when they are designed to meet the needs of, and are understood by, the business.
“Firms will need to take a dynamic approach, adapting their resilience capabilities in response to the continually evolving risk environment.”
• The cross-regulator paper is available on the FCA and Bank of England websites.
