FCA tightens cyber reporting rules as UK firms face rising risk
The City watchdog has moved to tighten cyber and operational resilience rules for financial firms, as attacks grow more frequent and increasingly spread through third-party providers.
The Financial Conduct Authority (FCA) confirmed new requirements to standardise how firms report incidents and manage third-party risks, in a bid to improve visibility over disruptions ranging from cyber attacks to cloud outages.
The changes are designed to give regulators faster, clearer data when incidents hit, as well as to help firms understand what they need to report, and when.
“Resilience is being tested like never before,” said Mark Francis, director of specialists and wholesale sell-side at the FCA. “These changes give firms clearer rules and practical guidance to better manage disruption.”
The overhaul follows a series of high-profile outages and a sharp rise in supply chain exposure.
The FCA announced that over 40 per cent of cyber incidents reported in 2025 involved a third party, showing just how deeply financial services currently rely on external providers.
Recent disruptions at major infrastructure firms such as AWS and Cloudflare have reinforced those concerns, exposing single failures cascading across multiple businesses.
Under the new regime, firms will report through a single portal shared with the Bank of England and Prudential Regulation Authority, replacing a more fragmented system.
Reporting thresholds and definitions have also been clarified, while most firms will be able to submit shorter reports.
The rules will come into force in March 2027, with firms given a year to prepare.
Supply chain risks
The move comes as cyber risk shifts away from direct attacks towards weaker links in company supply chains, a trend increasingly affecting UK businesses beyond financial services.
Government data and industry research suggest the threat is both persistent and evolving.
Cyber incidents continue to hit a large proportion of UK organisations, while attackers are using AI tools to identify vulnerabilities faster and at greater scale.
IBM recently reported a 44 per cent rise in attacks exploiting internet-facing systems, with missing login protections and software flaws among the most common entry points.
At the same time, basic security gaps remain widespread. A separate study by SailPoint found 77 per cent of UK firms fail to deactivate accounts belonging to former employees promptly, creating an open door for credential abuse.
The growing complexity of digital operations is compounding the problem.
Businesses are now managing thousands of new identities each month, including not just employees and contractors, but also automated systems and AI agents, stretching already outdated security processes.
The government’s Cyber Security and Resilience Bill, currently moving through Parliament, mirrors this shift.
It expands oversight to include data centres and critical suppliers, and introduces stricter reporting timelines, including initial notifications within 24 hours of an incident.
Jake Ives, head of security at Intersys, said: “If a business provides services to a larger organisation, it automatically becomes a target”, warning that attackers often exploit weaker suppliers to reach higher-value systems.