UK financial services firms operate under one of the most demanding cyber security regulatory frameworks of any sector. The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England have significantly strengthened their cyber resilience expectations over recent years, and the introduction of DORA (Digital Operational Resilience Act) requirements - which apply to UK firms operating in the EU - adds a further layer of obligation. Understanding what regulators require, and how to demonstrate compliance, is essential for any firm in the sector.
Softomate Solutions is a London-based cyber security consultancy that works with financial services firms including investment managers, payment service providers, insurance brokers, wealth management practices, and fintech businesses. Our virtual CISO service is designed for regulated financial services firms that need senior security leadership without the cost of a full-time hire, and our technical security programmes are built around FCA expectations and NCSC guidance. London's position as a global financial centre means that the cyber threats targeting its financial services sector are sophisticated, persistent, and well-funded.
This guide covers the primary regulatory requirements, the technical and governance controls expected by the FCA, and the practical steps UK financial services firms should take to build and demonstrate cyber resilience.
The FCA does not mandate a single prescriptive cyber security standard, but it sets clear expectations through its Senior Manager and Certification Regime (SM&CR), its operational resilience framework, and its supervisory priorities communicated through Dear CEO letters and thematic reviews. The cumulative picture is of a regulator that expects firms to have identified and tested their important business services, understand their cyber risk exposure, and be able to demonstrate that cyber resilience is owned at senior management level.
Under SM&CR, specific Senior Managers bear personal regulatory accountability for the operational resilience of the firm, which includes cyber security. Firms must identify which Senior Manager is accountable for cyber risk, ensure they have the competence and resource to discharge that accountability, and demonstrate that the board and senior management receive regular, accurate reporting on cyber risk. The personal accountability dimension means that cyber failures can have direct career and regulatory consequences for named individuals, not just the firm.
The FCA's operational resilience policy, implemented through the Joint Policy Statement published with the PRA and Bank of England, requires firms to identify their important business services, set impact tolerances for maximum tolerable disruption, and test their ability to remain within those tolerances through severe but plausible scenarios. Cyber attacks are explicitly included as a scenario that firms must test. Firms must have been able to demonstrate compliance with the operational resilience framework since March 2022, and must be within their impact tolerances by March 2025.
The FCA's Senior Management Arrangements, Systems and Controls (SYSC) sourcebook requires firms to have sound and effective risk management arrangements and appropriate technology risk management. Principle 3 (management and control) and Principle 11 (relations with regulators) are relevant in the context of cyber incidents - firms must manage cyber risk appropriately and inform the FCA promptly of material cyber incidents using the prescribed notification procedures.
FCA-regulated firms are required to notify the FCA of material operational incidents, including cyber incidents, promptly. The definition of materiality is set out in FCA guidance and typically includes incidents that result in significant impact on the firm's ability to provide services, affect the integrity or availability of data, involve criminal activity, or generate significant press coverage. In practice, any incident that disrupts important business services for more than a brief period, results in data loss, or involves a ransom demand should be assessed for FCA notification.
The FCA notification must be made as soon as the firm becomes aware of the material incident, rather than after investigation is complete. Initial notification with available information, followed by updates as the investigation progresses, is the standard approach. Failure to notify the FCA of a material cyber incident, or delayed notification, is itself a regulatory breach that can result in enforcement action independent of the underlying incident.
Alongside FCA notification, firms processing personal data must assess whether a UK GDPR notification to the ICO is required within 72 hours. And for incidents involving payment data, PCI DSS notification requirements to the relevant card schemes may also apply. Managing multiple parallel regulatory notification obligations during an active incident requires a pre-planned and tested notification process - improvising this under pressure during an incident leads to missed deadlines and regulatory aggravation.
The Digital Operational Resilience Act (DORA) is an EU regulation that applies to financial entities and ICT service providers operating in the EU. It came into force in January 2025. UK firms that provide services in EU member states, or that work through EU-based group entities, need to understand their DORA obligations.
DORA's requirements include: ICT risk management framework requirements; ICT incident classification and reporting obligations; digital operational resilience testing including threat-led penetration testing (TLPT) for significant firms; ICT third-party risk management including mandatory contractual requirements for critical suppliers; and information sharing on cyber threats. While DORA does not apply directly to UK-only operations, firms that maintain EU authorisations or service EU clients will need to manage compliance with both the UK FCA framework and DORA, which have overlapping but not identical requirements.
The technical security controls expected of UK financial services firms reflect the sensitivity of the data they process, the financial crime risks they face, and the systemic importance of financial services to the UK economy. The following controls are considered standard for authorised firms:
Strong authentication, privileged access management, and role-based access control are foundational. All internet-facing systems and all systems processing financial data must require multi-factor authentication. Privileged accounts used to administer systems should be separate from standard user accounts, subject to enhanced monitoring, and require strong MFA. Access to trading systems, client account data, and payment processing should be restricted on a need-to-know basis with access reviews conducted at least quarterly.
Trading environments, payment systems, client data stores, and administrative networks should be segmented to limit the ability of an attacker who compromises one environment to move laterally to another. Network segmentation also enables monitoring traffic between segments to detect anomalous lateral movement. Financial services firms that process card data must segment their cardholder data environment (CDE) in accordance with PCI DSS requirements.
Security Information and Event Management (SIEM) systems aggregate log data from across the environment and apply threat intelligence and correlation rules to detect indicators of attack. Financial services is one of the sectors for which threat intelligence is most commercially developed, with sector-specific threat intelligence available through FS-ISAC (Financial Services Information Sharing and Analysis Centre) and the NCSC's Malware Information Sharing Platform (MISP). Integrating relevant threat intelligence into your monitoring capability significantly reduces the time to detect targeted threats against the financial sector.
Regular penetration testing, including CBEST (the Bank of England and FCA's intelligence-led penetration testing framework for systemically important firms) or STAR-FS (the equivalent for other FCA-regulated firms), is an expectation for significant financial services firms. Even for smaller firms not within scope of CBEST or STAR-FS, annual penetration testing of internet-facing systems, internal networks, and specific high-risk applications is standard practice and expected by the FCA and PRA. Our cyber security consultancy includes planning and oversight of penetration testing programmes aligned to FCA expectations.
Financial services firms are subject to FCA SS2/21 (the supervisory statement on outsourcing and third-party risk management), which sets out detailed requirements for managing ICT outsourcing and third-party dependencies. This includes maintaining a register of ICT third parties, conducting due diligence on critical suppliers, including prescribed contractual provisions, and planning for the orderly exit from critical suppliers if required. The collapse or compromise of a critical ICT supplier could itself result in a breach of the firm's operational resilience obligations.
Cyber risk assessment for financial services firms should be integrated with the firm's broader enterprise risk management framework rather than treated as a separate technical exercise. The risk assessment should identify the firm's critical assets (trading systems, client data, payment infrastructure, regulatory reporting systems), the threats most relevant to those assets, the vulnerabilities that exist in the controls designed to protect them, and the business impact of different breach scenarios.
The output of a cyber risk assessment is a risk register that informs investment and improvement priorities. Regulators expect to see evidence of regular risk assessment, treatment of identified risks, and board-level reporting on residual cyber risk. A risk assessment conducted once and never updated is of limited value - the threat landscape, the firm's technology estate, and its regulatory obligations all change continuously.
Softomate's virtual CISO service includes ongoing risk assessment as a core deliverable, ensuring that risk registers are current, treatment plans are progressing, and board reporting reflects an accurate picture of the firm's cyber risk posture. This continuity of oversight is what distinguishes a managed risk programme from an episodic compliance exercise.
Cyber insurance has become a standard component of the cyber risk management toolkit for UK financial services firms. However, the cyber insurance market has hardened significantly in recent years, with insurers imposing stricter minimum security requirements for policy eligibility and coverage. Firms that cannot demonstrate MFA on email and remote access, current patching, offline backups, and documented incident response procedures may find coverage unavailable or subject to exclusions for the most common incident types.
Cyber insurance should be seen as a risk transfer mechanism for residual risk, not a substitute for security controls. Insurers conduct detailed assessments of security posture before binding coverage, and material misrepresentation in the application process can result in coverage being voided at the point of a claim. The policy wording must be reviewed carefully to understand what is and is not covered - particularly around ransomware, business interruption, and regulatory defence costs.
The FCA does not mandate cyber insurance, but it is becoming a de facto requirement for professional indemnity purposes and is expected by many institutional counterparties and clients as evidence of risk management maturity.
The FCA's thematic reviews and enforcement cases reveal consistent patterns of failure across the sector:
Understanding these failure patterns and assessing whether they apply to your organisation is a productive starting point for a gap assessment. Softomate Solutions conducts FCA-aligned cyber security assessments that compare your current posture against regulatory expectations and identify the highest-priority remediation actions.
The FCA considers an operational incident material where it has a significant impact on the firm's ability to deliver services, affects the integrity or availability of data, involves criminal activity, or results in significant media coverage. In practice, incidents that disrupt important business services for more than a brief period, compromise customer data, involve ransomware, or result in financial loss to clients are typically material. Firms should document their materiality assessment process and apply it consistently, rather than making ad hoc judgements under pressure during an incident.
Cyber Essentials is a UK government scheme that verifies five fundamental security controls. While not specifically mandated by the FCA, achieving Cyber Essentials or Cyber Essentials Plus demonstrates a security baseline that supports compliance with SYSC risk management requirements, satisfies some client and counterparty security requirements, and evidences good practice to the ICO in the event of a UK GDPR investigation. Larger, more complex financial services firms will typically operate above Cyber Essentials controls, but certification provides useful external assurance on the foundational controls.
CBEST is the Bank of England and FCA's intelligence-led penetration testing framework for systemically important financial institutions. It simulates the tactics, techniques, and procedures of real threat actors targeting the UK financial system, using current threat intelligence to design and conduct targeted attacks against the firm's production environment. CBEST is required for the most significant firms including major banks, payment system operators, and critical infrastructure providers. Smaller FCA-regulated firms typically conduct STAR-FS (Simulated Target Attack and Resilience testing for Financial Services), the equivalent framework scaled for their risk profile.
PCI DSS (Payment Card Industry Data Security Standard) is a contractual requirement imposed by card schemes on any organisation that stores, processes, or transmits cardholder data. It specifies detailed technical and operational requirements including network segmentation of the cardholder data environment, encryption of cardholder data at rest and in transit, access control, vulnerability scanning, penetration testing, and logging. PCI DSS requirements overlap significantly with cyber security best practice and with FCA operational resilience expectations, but compliance with PCI DSS alone does not satisfy FCA requirements - PCI DSS focuses narrowly on card data protection, while the FCA's expectations are broader.
Annual penetration testing is the standard minimum for most FCA-regulated firms, covering internet-facing systems, internal networks, and specific high-risk applications. PCI DSS requires annual penetration testing of systems in scope and after significant changes. The FCA and PRA expect larger firms to supplement annual testing with continuous vulnerability scanning, red team exercises, and threat-led penetration testing aligned to CBEST or STAR-FS frameworks. Penetration testing should be complemented by continuous monitoring, threat intelligence, and vulnerability management - testing once a year without ongoing monitoring leaves the firm blind to threats that emerge between tests.
Activate your incident response plan immediately. Contain the incident by isolating affected systems. Preserve forensic evidence. Engage your cyber incident response retainer if you have one. Assess whether FCA notification is required and, if so, notify promptly. Assess whether ICO notification is required within 72 hours. Notify your cyber insurer. Brief your board and the nominated Senior Manager accountable for cyber risk. Engage legal counsel, particularly if client funds or regulated activities are affected. Document every decision and action throughout the response. Do not communicate about the incident on systems that may be compromised.
Smaller FCA-regulated firms face proportional regulatory expectations - the FCA's approach is risk-based, and a small insurance broker is held to different standards than a major clearing bank. Focusing first on the highest-impact controls (MFA, patch management, access control, backup and recovery) achieves the most regulatory and security benefit per pound spent. Using cloud platforms that carry their own security certifications (Microsoft 365, AWS, Google Cloud) reduces the compliance burden on the firm for underlying infrastructure. A virtual CISO provides strategic oversight and regulatory expertise at a fraction of full-time hire cost. Cyber Essentials certification provides an independent baseline assurance that reduces the cost of evidencing security posture to regulators and counterparties.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
