The Financial Conduct Authority (FCA) has confirmed new rules aimed at standardising how firms report cyber incidents and manage third-party risk - marking a significant step forward in improving visibility across the financial system.
These rules will come into force in March 2027, with firms given a year to prepare.
At the heart of the FCA’s update is a push for greater consistency and speed in how cyber incidents are reported.
Under the new framework, firms will:
This replaces a previously fragmented reporting structure, where firms often faced uncertainty over thresholds, timelines, and regulatory expectations.
Mark Francis, Director of Specialists and Wholesale Sell-Side at the FCA, emphasised the urgency of the changes:
“Resilience is being tested like never before. These changes give firms clearer rules and practical guidance to better manage disruption.”
The goal is simple: ensure regulators receive timely, standardised, and actionable data during incidents—enabling faster system-wide responses.
A defining feature of the new rules is the heightened focus on third-party and supply chain risk.
According to FCA data, over 40% of cyber incidents reported in 2025 involved a third party, underlining how deeply financial institutions now rely on external providers for critical services.
Recent disruptions involving major cloud and infrastructure providers - including AWS and Cloudflare - have demonstrated how a single failure can cascade across multiple organisations.
This growing dependency has fundamentally changed the risk landscape. Cyber attacks are no longer limited to direct breaches of a target organisation; instead, attackers are increasingly exploiting weaker links within supply chains to gain access to higher-value systems.
As Jake Ives, Head of Security at Intersys, notes:
“If a business provides services to a larger organisation, it automatically becomes a target.”
The FCA’s intervention comes amid clear evidence that cyber threats are both intensifying and evolving.
Research from IBM's X-Force Threat Intelligence Index 2026 indicates a 44% increase in attacks targeting internet-facing systems, with common vulnerabilities including:
At the same time, fundamental security hygiene issues persist across UK organisations. A study by SailPoint found that 77% of firms fail to promptly deactivate accounts belonging to former employees, leaving organisations exposed to credential misuse.
These gaps highlight a critical issue: while threats are becoming more advanced, many organisations are still struggling with basic identity and access management.
The FCA’s updated requirements align closely with the UK government’s forthcoming Cyber Security and Resilience Bill, which is currently progressing through Parliament.
The proposed legislation will:
Together, these measures reflect a broader shift in regulatory thinking—from focusing solely on individual firms to addressing systemic resilience across interconnected ecosystems.
For financial services firms, the implications are immediate:
However, the impact extends well beyond the financial sector.
Any organisation operating within a supply chain - particularly those serving larger enterprises - must now recognise that it forms part of a wider attack surface.
This requires a shift in mindset:
The FCA’s latest measures reflect a critical reality: cyber risk is no longer confined to organisational boundaries.
In an environment defined by cloud dependency, outsourced services, and digital interconnectedness, resilience depends not only on your own defences—but on the security of every partner, provider, and system you rely on.
As regulators tighten expectations and threats continue to evolve, organisations that invest in visibility, governance, and supply chain resilience will be best positioned to withstand the next wave of disruption.