FCA Updates Cyber Incident and Third-Party Reporting Rules

The FCA’s latest cyber‑incident reporting framework arrives at a moment when financial institutions face unprecedented digital threats. By consolidating reporting channels with the Prudential Regulation Authority and the Bank of England, the regulator reduces administrative friction and creates a single source of truth for cyber‑related disruptions. The streamlined short‑form approach lowers the reporting burden, while clearer thresholds ensure that only material events trigger notification, helping firms focus resources on genuine risk mitigation.

A standout feature of the new regime is its explicit inclusion of third‑party failures. Recent high‑profile outages at cloud providers such as AWS and Cloudflare highlighted how external dependencies can cascade into systemic risk. The FCA notes that 40 % of incidents reported in 2025 involved a supplier, underscoring the urgency of robust vendor oversight. Aligning with the EU’s Digital Operational Resilience Act (DORA) and the UK’s Cyber Security and Resilience Bill, the rules push firms to embed third‑party risk assessments into their operational resilience strategies, fostering a more transparent supply‑chain ecosystem.

For market participants, the 12‑month preparation window ending on 18 March 2027 offers a clear timeline to upgrade reporting infrastructure and refine incident response plans. The FCA intends to leverage the aggregated data to publish sector‑wide insights, enabling firms to benchmark performance and adopt best practices. Early compliance not only avoids regulatory penalties but also equips institutions with actionable intelligence to pre‑empt future cyber disruptions, ultimately strengthening the stability of the UK financial system.