The UK’s financial regulator has moved to strengthen cyber and operational resilience requirements, as organisations face a sharp rise in increasingly complex and interconnected cyber threats.
The Financial Conduct Authority (FCA) has confirmed new rules aimed at standardising how firms report cyber incidents and manage third-party risk - marking a significant step forward in improving visibility across the financial system.
These rules will come into force in March 2027, with firms given a year to prepare.
A Shift Towards Faster, Clearer Incident Reporting
At the heart of the FCA’s update is a push for greater consistency and speed in how cyber incidents are reported.
Under the new framework, firms will:
- Report incidents through a single, unified portal
- Share information simultaneously with the Bank of England and the Prudential Regulation Authority (PRA)
- Follow clearer guidance on what constitutes a reportable incident and when disclosures must be made
This replaces a previously fragmented reporting structure, where firms often faced uncertainty over thresholds, timelines, and regulatory expectations.
Mark Francis, Director of Specialists and Wholesale Sell-Side at the FCA, emphasised the urgency of the changes:
“Resilience is being tested like never before. These changes give firms clearer rules and practical guidance to better manage disruption.”
The goal is simple: ensure regulators receive timely, standardised, and actionable data during incidents—enabling faster system-wide responses.
Third-Party Risk Moves to the Forefront
A defining feature of the new rules is the heightened focus on third-party and supply chain risk.
According to FCA data, over 40% of cyber incidents reported in 2025 involved a third party, underlining how deeply financial institutions now rely on external providers for critical services.
Recent disruptions involving major cloud and infrastructure providers - including AWS and Cloudflare - have demonstrated how a single failure can cascade across multiple organisations.
This growing dependency has fundamentally changed the risk landscape. Cyber attacks are no longer limited to direct breaches of a target organisation; instead, attackers are increasingly exploiting weaker links within supply chains to gain access to higher-value systems.
As Jake Ives, Head of Security at Intersys, notes:
“If a business provides services to a larger organisation, it automatically becomes a target.”
The Expanding Threat Landscape
The FCA’s intervention comes amid clear evidence that cyber threats are both intensifying and evolving.
Research from IBM's X-Force Threat Intelligence Index 2026 indicates a 44% increase in attacks targeting internet-facing systems, with common vulnerabilities including:
- Missing or weak authentication controls
- Unpatched software flaws
At the same time, fundamental security hygiene issues persist across UK organisations. A study by SailPoint found that 77% of firms fail to promptly deactivate accounts belonging to former employees, leaving organisations exposed to credential misuse.
These gaps highlight a critical issue: while threats are becoming more advanced, many organisations are still struggling with basic identity and access management.
Alignment with UK Government Strategy
The FCA’s updated requirements align closely with the UK government’s forthcoming Cyber Security and Resilience Bill, which is currently progressing through Parliament.
The proposed legislation will:
- Expand regulatory oversight to include data centres and critical suppliers
- Introduce stricter reporting timelines, including initial incident notification within 24 hours
- Reinforce accountability across supply chains
Together, these measures reflect a broader shift in regulatory thinking—from focusing solely on individual firms to addressing systemic resilience across interconnected ecosystems.
What This Means for Organisations
For financial services firms, the implications are immediate:
- Enhanced compliance obligations
- Greater scrutiny of third-party relationships
- Increased need for robust incident detection and reporting capabilities
However, the impact extends well beyond the financial sector.
Any organisation operating within a supply chain - particularly those serving larger enterprises - must now recognise that it forms part of a wider attack surface.
This requires a shift in mindset:
- From internal security to ecosystem security
- From reactive response to proactive resilience planning
Final Thoughts
The FCA’s latest measures reflect a critical reality: cyber risk is no longer confined to organisational boundaries.
In an environment defined by cloud dependency, outsourced services, and digital interconnectedness, resilience depends not only on your own defences—but on the security of every partner, provider, and system you rely on.
As regulators tighten expectations and threats continue to evolve, organisations that invest in visibility, governance, and supply chain resilience will be best positioned to withstand the next wave of disruption.
