The FCA has introduced new rules to make it easier and more consistent for financial firms to report cyber incidents and disruptions involving third parties.
The new rules aim to make existing incident and third party reporting clearer, more consistent, and easier for firms to follow.
As a result, the regulator hopes to be able to respond more quickly to disruption such as a cyber attack or power outage, give firms greater certainty on what to report and when and strengthen firm resilience to better protect consumers and markets.
They come as cyber threats continue to grow, with over 40% of reported incidents in 2025 linked to third-party providers. This highlights a wider challenge for organisations across the sector as critical systems, data and services increasingly sit outside their direct control.
For both of the FCA's incident and third party reporting final rules, it has created a simple, streamlined reporting regime with the PRA and Bank of England, including a single reporting portal.
The FCA has also refined the overall information required, allowing most of the firms it regulates to complete a short form to tell it about their incident, and has added clearer guidance on thresholds, definitions and responsibilities.
Firms have 12 months to prepare before the new rules come into force on 18th March 2027.
Mark Francis, director of specialists and wholesale sell-side at the FCA, said: "Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on.
"These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.
Michael Murphy, deputy CTO at Arqit, commented: “The FCA’s latest guidance reflects how operational risk is changing across the financial sector. As firms rely more heavily on third-party providers, resilience is no longer just about protecting internal systems – it extends across a much wider and often more complex digital supply chain.
“Clearer rules around incident and third-party reporting are a positive step. They should help firms respond more quickly to disruption and give regulators better visibility into emerging risks. But they also highlight a deeper issue. If a growing share of incidents originate outside a firm’s direct control, then reporting alone can only go so far. The real challenge is maintaining control over critical data and services even when they sit on infrastructure or platforms operated by someone else.
“Encryption is playing a much bigger role than many organisations realise. If organsiations keep control of the keys and access policies protecting their data, they can operate on shared or third-party infrastructure without giving up control. That’s why approaches like confidential computing are gaining traction – because they allow sensitive workloads to remain protected even while they are being used. As digital supply chains expand, resilience will increasingly depend on exactly this kind of protection layer, ensuring financial institutions remain responsible for the data and services their customers depend on.”
Angela Greenough, a financial services partner with law firm CMS, added: “There are welcome refinements in the final rules, particularly around clarity and structure, and it’s clear the regulators have listened.
“It would be naïve from industry to think this type of framework could be reduced to a set of hard-edged rules that work in every scenario. What matters is how firms embed a sensible, risk-based approach, and for their part that regulators apply consistent, proportionate supervision and enforcement.”
