FCA-regulated firms must treat cyber security as a board-level operational resilience obligation, not an IT line item. The core legal basis sits in the FCA Handbook: Principle 11, SYSC 4.1.1R, SYSC 6.1.1R, SYSC 13 and the SYSC 15A operational resilience rules that took full effect on 31 March 2025. Firms must identify important business services, set impact tolerances, map dependencies and test against severe-but-plausible scenarios. New operational incident and third-party reporting rules are finalised in 2026 and come into force on 18 March 2027, requiring material incidents to be reported through a unified portal within roughly 24 to 72 hours. The average UK financial-services data breach now costs around £5.3m, well above the £3.4m cross-industry figure. Over 40% of cyber incidents reported to the FCA in 2025 involved a third party. Cyber Essentials and the NCSC 10 Steps mitigate around 80% of common attacks.
Last updated: June 2026
Four bodies share oversight of cyber security in UK financial services, and each one expects something slightly different from you. The Financial Conduct Authority (FCA) regulates conduct for around 42,000 firms and treats cyber resilience as part of its operational resilience and systems-and-controls expectations. The Prudential Regulation Authority (PRA) supervises the largest banks, building societies, insurers and major investment firms, focusing on safety and soundness. The Bank of England oversees financial stability and runs the sector-wide threat-led testing programmes. The Information Commissioner's Office (ICO) enforces data protection under UK GDPR and the Data Protection Act 2018, which sits alongside, not inside, the FCA framework.
This matters because a single ransomware event can trigger obligations to multiple regulators at once. A breach exposing client personal data is an ICO matter under UK GDPR, with a 72-hour notification clock. The same incident, if it disrupts an important business service, becomes an FCA operational resilience matter. If you are a dual-regulated bank, the PRA expects evidence too. Our honest view: firms that treat these as one combined "regulatory reporting" workflow recover faster and avoid the embarrassing situation of telling one regulator something different from another.
Here is how the responsibilities break down in practice.
| Regulator | Primary concern | What it expects from cyber security |
|---|---|---|
| FCA | Conduct, consumer protection, market integrity | Operational resilience, SYSC systems and controls, incident reporting |
| PRA | Safety and soundness of large firms | Prudential resilience, board accountability, recovery capability |
| Bank of England | Financial stability of the sector | CBEST threat-led testing, sector-wide stress scenarios |
| ICO | Personal data protection | UK GDPR security of processing, 72-hour breach notification |
For SME suppliers to regulated firms, the picture is subtler. You may not be directly authorised, but if you process data or run systems for an FCA firm, that firm's obligations flow down to you through its outsourcing and third-party management duties. In practice, this means your client's compliance team will increasingly audit your controls, and weak supplier security has become one of the fastest ways to lose a financial-services contract. If you build or maintain technology for regulated firms, treat their regulators as your regulators by proxy.
The FCA does not publish a single "cyber security rulebook"; instead the requirements are woven through the FCA Handbook, principally in the Principles for Businesses and the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook. The headline obligation is Principle 11, which requires firms to deal with regulators in an open and cooperative way and to disclose anything the FCA would reasonably expect notice of, including a significant cyber incident. Principle 3 requires you to take reasonable care to organise and control your affairs responsibly, with adequate risk management systems.
The specific systems-and-controls duties live in SYSC. The clauses you should know by reference are below, because most competitor articles gloss over them and the FCA examiners do not.
| Handbook reference | What it requires |
|---|---|
| Principle 11 | Open, cooperative disclosure to the FCA, including material cyber incidents |
| SYSC 4.1.1R | Robust governance, clear organisational structure and effective risk management |
| SYSC 6.1.1R | Adequate policies and procedures to ensure compliance, including information security |
| SYSC 13 | Operational risk management for insurers, covering systems and IT continuity |
| SYSC 15A | Operational resilience: important business services, impact tolerances, scenario testing |
Layered on top is the Senior Managers and Certification Regime (SM&CR). Cyber resilience is not optional at the top of the firm because a named senior manager, usually the SMF24 (Chief Operations function) or an equivalent, holds personal accountability for the firm's technology and operational resilience. If a cyber failure causes harm and the FCA finds that reasonable steps were not taken, that individual can face enforcement, not just the corporate entity. This is the single most underappreciated point for boards: cyber is now a personal-liability subject for the senior manager who owns it.
SYSC 15A.5.3 deserves a specific mention because it underpins the testing expectation. It requires firms to carry out scenario testing of their ability to remain within impact tolerances for each important business service during severe but plausible disruption, including cyber attack. The FCA does not prescribe a single methodology, but it expects the testing to be evidenced, repeated at least annually, and refreshed whenever you make a material change to your systems. Our stance: if your last scenario test was a tabletop slideshow with no technical validation behind it, you are not meeting the spirit of SYSC 15A, and an examiner will notice.
The operational resilience framework, introduced through policy statement PS21/3 and embedded in SYSC 15A, is now the central lens through which the FCA views cyber risk. The transitional period ended on 31 March 2025, so every in-scope firm should already have identified its important business services, set impact tolerances, completed dependency mapping, and demonstrated it can stay within those tolerances during severe disruption. Cyber attack is explicitly named as one of the disruption types you must be able to withstand.
The framework rests on four building blocks, and each has a direct cyber security implication.
An impact tolerance is the bridge between abstract cyber risk and concrete business decisions. If your impact tolerance for a payment service is four hours, then your backup, recovery and incident-response capability must demonstrably restore that service within four hours after a destructive attack. If your tested recovery time is eleven hours, you have a documented, board-visible gap that you are obliged to close. This is far more useful than a generic "we have firewalls" assurance because it forces a measurable target.
Our view: the operational resilience rules are the best thing to happen to financial-services cyber security in a decade, because they reframe the question from "are we secure?" (unanswerable) to "can we keep this specific service running within this specific time during a cyber attack?" (testable). Firms that have genuinely embraced this, rather than producing a binder of documents for the regulator, recover from incidents materially faster. The binder-only firms tend to discover during a real incident that their mapping was out of date and their recovery plan referenced a person who left two years ago. Treat resilience as a living capability, and revisit your mapping every time you change a supplier, migrate a system, or launch a new product.
You must report a material cyber incident to the FCA without unreasonable delay under Principle 11, and from 18 March 2027 a new, more prescriptive regime applies with defined timelines and a unified reporting portal. The FCA, PRA and Bank of England finalised these operational incident and third-party reporting rules in March 2026, replacing the patchy current approach with a structured one. Under the new rules, firms must report material operational incidents in stages: an initial notification within a tight window of around 24 to 72 hours of classifying the incident as material, followed by intermediate updates and a final report.
Today, before the new rules bite, the obligation is already live through Principle 11 and existing supervisory expectations. The FCA expects notification of any incident that results in significant loss of data, unavailability of important services, or a breach affecting customers. Do not wait until you have fully understood an incident to notify; the regulator would rather hear early and imperfect than late and complete.
| Stage | Trigger | Indicative timeline |
|---|---|---|
| Initial notification | Incident classified as material | Within 24 to 72 hours |
| Intermediate report | Material new information emerges | As the picture develops |
| Final report | Incident resolved and reviewed | After recovery and root-cause analysis |
| ICO notification (parallel) | Personal data breach with risk to individuals | Within 72 hours |
A practical trap catches many firms: the FCA clock and the ICO clock run in parallel and have different triggers. The ICO 72-hour clock starts when you become aware of a personal data breach that poses a risk to individuals. The FCA notification is driven by materiality to your operations and customers. A single ransomware event commonly triggers both, plus a PRA obligation if you are dual-regulated. Build one incident-classification process that fans out to all relevant regulators automatically, rather than three separate panicked email chains at 2am.
Our honest rule on reporting: if your incident team is debating whether something is "material enough" to report for longer than thirty minutes, it probably is, and you should notify. Under-reporting damages your relationship with the regulator far more than a slightly over-cautious notification ever will. Document the decision either way, because the FCA may later ask why you did or did not report, and a clear contemporaneous rationale is your best defence.
The FCA expects testing proportionate to your size and importance, ranging from self-assessment for smaller firms through to intelligence-led penetration testing for systemically important institutions. There is no single mandated test, but there is a recognised ladder of frameworks, and knowing where you sit on it is essential. Penetration testing is not a tick-box; SYSC 15A's scenario-testing duty effectively requires firms to validate their defences against realistic attacks at least annually and after material change.
The frameworks differ sharply in intensity, cost and who they apply to. Confusing them is a common and expensive mistake, so here is a clear comparison.
| Framework | Who it is for | Intensity | Typical cost guide |
|---|---|---|---|
| Cyber Essentials / Plus | All firms, baseline | Self-assessment or basic audit | £300 to £3,000 |
| CQUEST self-assessment | Smaller financial entities | 50-question self-review across 6 domains | Internal time only |
| STAR-FS | Mid-tier regulated firms | Intelligence-led penetration test | £40,000 to £120,000 |
| CBEST | Systemically important firms | Bank of England-led threat simulation | £150,000+ |
| DORA TLPT | EU-facing firms under DORA | Threat-led penetration testing | Comparable to CBEST |
CQUEST deserves explanation because it is the entry point many smaller firms miss. It is a self-assessment of 50 questions spread across six domains that mirror the NIST functions: Govern, Identify, Protect, Detect, Respond and Recover. It is not a pass-or-fail certificate; it is a structured way to find your own gaps before a regulator or an attacker does. We recommend every regulated SME complete it annually even where it is not strictly mandated, because it produces a defensible, evidenced view of your maturity at near-zero cost.
DORA, the EU Digital Operational Resilience Act, came into force in January 2025. It does not directly bind UK-only firms, but it absolutely binds UK firms with EU operations, EU subsidiaries, or EU clients, and it raises the bar globally because EU counterparties will demand DORA-aligned evidence from their UK suppliers. If you passport services into the EU or serve EU financial entities, treat DORA as in scope. Its threat-led penetration testing requirement (TLPT) is closely modelled on CBEST, so firms already running CBEST or STAR-FS have a strong head start.
Our stance on testing spend: do not buy a £100,000 STAR-FS engagement while leaving multi-factor authentication switched off on your admin accounts. Spend in order of leverage. Get Cyber Essentials Plus, enforce MFA everywhere, patch on a schedule, and complete CQUEST first. Only then does intelligence-led testing give you genuine new information rather than confirming gaps you already knew about. The most sophisticated test in the world is wasted money if the basics are broken underneath it.
Third-party and supply-chain risk is now the single largest source of cyber incidents for UK financial services, and the regulators have responded by extending their reach to the suppliers themselves. In 2024, 58% of large UK financial-services firms were hit by a third-party supply-chain attack, and 23% were hit three or more times. More than 40% of cyber incidents reported to the FCA in 2025 involved a third party. The lesson is blunt: your security is now only as strong as your weakest supplier's, and the FCA holds you accountable for that supplier's failings.
The regulatory response has two parts. First, the existing outsourcing rules in SYSC and the FCA outsourcing guidance require you to perform due diligence, set contractual security obligations, monitor performance, and retain the ability to exit or substitute a critical supplier. Second, a new Critical Third Party (CTP) regime gives the regulators direct oversight of the most systemically important technology providers, such as major cloud platforms, whose failure could threaten financial stability. CTPs themselves now face resilience requirements, but this does not transfer your accountability; you remain responsible for the services you outsource.
A practical supplier-management programme should cover these steps.
For SME technology suppliers reading this, the implication is opportunity, not just burden. Regulated firms are actively looking for suppliers who can evidence strong controls, because a credible security posture removes friction from procurement. If you build software, run automation, or host systems for FCA firms, getting Cyber Essentials Plus and documenting your incident-response process is one of the highest-return commercial investments you can make. When we deliver business process automation for London firms, security evidence is part of the deliverable precisely because regulated clients now demand it before signing.
Our honest view: the firms that suffer the worst supply-chain incidents are almost always the ones with an incomplete inventory. They get breached through a system or supplier nobody remembered existed. Spend your first week not on shiny tooling but on building a genuinely complete map of who can touch your data. It is unglamorous and it is the highest-leverage thing you can do.
Every FCA firm, regardless of size, should implement a baseline of controls that the NCSC and FCA both endorse, because these mitigate roughly 80% of common attacks at modest cost. The two reference frameworks are Cyber Essentials and the NCSC 10 Steps to Cyber Security. Neither is exotic; both are deliberately practical. The mistake firms make is assuming advanced threats require advanced defences, when in reality most successful attacks exploit unpatched software, weak passwords, missing MFA and over-privileged accounts, all of which the baseline addresses.
Here is a prioritised control checklist mapped to the outcomes it protects. Treat the top rows as non-negotiable.
| Control | What it prevents | Priority |
|---|---|---|
| Multi-factor authentication everywhere | Account takeover from stolen passwords | Critical |
| Timely patching and vulnerability management | Exploitation of known flaws | Critical |
| Least-privilege access and admin separation | Lateral movement after compromise | Critical |
| Tested, offline, immutable backups | Permanent data loss in ransomware | Critical |
| Endpoint detection and response (EDR) | Undetected malware persistence | High |
| Email filtering and phishing training | Initial access via phishing | High |
| Network segmentation | Whole-estate compromise | High |
| Logging, monitoring and alerting | Slow incident detection | High |
| Documented, tested incident response plan | Chaotic, slow recovery | High |
Backups deserve a particular warning because they are where firms most often discover, too late, that their plan does not work. A backup that an attacker can reach and encrypt during the same intrusion is not a backup. Modern ransomware actively hunts and destroys backups before triggering encryption, so you need at least one copy that is offline or immutable, and you need to actually restore from it on a schedule. The number of firms whose backups have never been test-restored until a real incident is alarming, and it is the difference between a four-hour recovery and a four-week one.
Beyond the technical controls, governance is a control in its own right. The board should receive cyber risk reporting in plain business terms, the named senior manager under SM&CR should be able to describe the firm's resilience posture without reading from a script, and cyber risk should appear on the same risk register as credit and market risk. When we build a custom CRM or line-of-business system for a regulated firm, we design these controls into the application from the start: enforced MFA, role-based access, full audit logging and encrypted data at rest. Bolting security on afterwards always costs more and works less well.
Our honest rule: be sceptical of any vendor selling you a single product that "solves" cyber compliance. There is no such product. Compliance is the sum of governance, baseline controls, testing, supplier management and incident readiness, evidenced over time. A tool can help with one slice; it cannot replace the discipline.
Softomate Solutions helps FCA-regulated firms and their suppliers turn these requirements into working systems through a structured five-stage process, with fixed-quote pricing agreed before any work starts. We are a London-based software development and automation agency in Stanmore (HA7), and we build the technical controls, secure applications and reporting workflows that operational resilience demands. We do not sell certificates or compliance theatre; we build and harden the systems your business actually runs on, with security designed in rather than bolted on.
Our process is deliberately ordered so that you fix the high-leverage gaps first and spend on advanced work only once the foundations are sound.
Every engagement runs to a clear timeline with fixed-quote messaging, so there are no open-ended consultancy invoices.
| Stage | Typical duration | Starting price (GBP) |
|---|---|---|
| Discovery and gap assessment | 1 to 2 weeks | from £2,500 |
| Baseline hardening | 3 to 6 weeks | from £6,000 |
| Secure systems and automation | 6 to 12 weeks | from £12,000 |
| Resilience and reporting workflows | 3 to 5 weeks | from £5,500 |
| Ongoing monitoring and review | Monthly retainer | from £950 per month |
We give a fixed quote after the discovery stage, not a vague day rate, because regulated firms need budget certainty. If you are a smaller supplier to a regulated client and just need Cyber Essentials Plus readiness and an incident-response plan, we scope a lighter engagement starting from £2,500. If you are a larger firm needing secure custom applications, automation and full resilience reporting, we scope the full programme. Either way, you know the number before you commit. To discuss your firm's position, get in touch through our London automation and software agency and we will arrange a no-obligation discovery call.
The FCA does not name penetration testing as a single mandatory rule, but SYSC 15A's scenario-testing duty effectively requires it. Firms must test their ability to stay within impact tolerances against severe-but-plausible cyber scenarios, at least annually and after material change. For larger firms, intelligence-led tests like STAR-FS or CBEST apply.
An impact tolerance is the maximum level of disruption to an important business service that a firm judges tolerable before consumers or market integrity suffer intolerable harm. It is usually expressed as a time limit, such as restoring payments within four hours, and your cyber recovery capability must demonstrably meet it during testing.
You must report material incidents to the FCA without unreasonable delay under Principle 11 today. From 18 March 2027, new rules require initial notification within roughly 24 to 72 hours of classifying an incident as material, through a unified portal, followed by intermediate and final reports. A parallel ICO 72-hour clock applies to personal data breaches.
The core references are Principle 11 (open disclosure), Principle 3 (responsible organisation), SYSC 4.1.1R (governance), SYSC 6.1.1R (compliance procedures), SYSC 13 (operational risk for insurers) and SYSC 15A (operational resilience, important business services, impact tolerances and scenario testing). SM&CR adds personal accountability for the named senior manager.
DORA does not directly bind UK-only firms, but it applies to UK firms with EU operations, subsidiaries or clients. It also raises the bar indirectly because EU counterparties demand DORA-aligned evidence from UK suppliers. If you serve EU financial entities, treat DORA, including its threat-led penetration testing, as in scope.
The average UK financial-services data breach costs around £5.3m, notably higher than the £3.4m cross-industry average. Globally, financial-services incidents average around $5.56m versus $4.44m across all sectors. The premium reflects regulatory penalties, customer remediation, downtime and the sensitivity of financial data.
CQUEST is a cyber security self-assessment of 50 questions across six domains: Govern, Identify, Protect, Detect, Respond and Recover. It is not a pass-or-fail certificate but a structured way for smaller financial entities to find and evidence their own gaps. We recommend every regulated SME complete it annually at near-zero cost.
SME suppliers are not usually directly authorised, but the regulated firm's outsourcing duties flow down to them. In practice this means clients audit your controls and demand Cyber Essentials or equivalent. With over 40% of FCA-reported incidents involving a third party, strong supplier security is now essential to win and keep contracts.
Both are intelligence-led penetration tests, but CBEST is a Bank of England-led programme for systemically important firms and is the most intensive and costly. STAR-FS is a framework for mid-tier regulated firms, run privately to similar principles but at lower scale. Smaller firms typically start with CQUEST self-assessment and Cyber Essentials Plus.
Recovery speed is set by your impact tolerance for each affected important business service, not by a single regulatory figure. If your tolerance for payments is four hours, your backup and recovery must demonstrably restore that service within four hours after a destructive attack. This requires tested, offline or immutable backups, not just backups that exist on paper.
FCA cyber security compliance comes down to a clear chain: governance under SYSC 4.1.1R and SM&CR, baseline controls that stop 80% of attacks, operational resilience under SYSC 15A with impact tolerances tested against cyber scenarios, supplier management for the third-party risk behind 40% of FCA-reported incidents, and incident reporting that meets both the FCA and the ICO 72-hour clocks. The 31 March 2025 operational resilience deadline has passed, and the new reporting rules bite on 18 March 2027, so the time to close gaps is now, not when an examiner asks. With an average UK financial-services breach costing around £5.3m, the economics favour acting early. Start with a complete supplier inventory, enforce MFA, fix your backups, complete CQUEST, then invest in advanced testing once the foundations hold. Resilience is a living capability, not a binder, and the firms that treat it that way recover fastest when, not if, an incident comes.
If your firm needs secure systems, hardened automation and regulator-ready reporting workflows built by a UK team that understands financial-services obligations, talk to our London AI automation and software agency or get in touch for a fixed-quote discovery call.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and automation agency in Stanmore (HA7). With over 12 years building software, custom CRM systems and automation for UK businesses, including regulated financial-services firms and their suppliers, he focuses on designing security and operational resilience into systems from the first line of code rather than bolting it on afterwards. Softomate Solutions is registered at Companies House and works with firms across London and the UK. Learn more about Softomate Solutions.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
