Cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.
Our goal is to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.
Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets - hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.
Cyber security is a shared responsibility, and we take a co-operative approach to address this threat, working with government, other regulators, nationally and internationally on this important issue.
The National Cyber Security Centre provides a broad range of guidance on how firms can protect their information and systems and how to respond to a cyber attack. We have also published a number of different publications and webpages on cyber security:
- A guide for firms on the foundations of good cyber security (June 2017)
- Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (July 2016)
- Information on fake emails from the FCA (May 2017)
- A statement on the recent ransomware attack (May 2017)
- Nausicaa Delfas, our chief operating officer, delivered a speech outlining our approach to cyber resilience in September 2016
- She also delivered a speech on the current threat landscape in April 2017
- A Cyber Coordination Group survey (December 2017)
Reporting a cyber incident
Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:
- results in significant loss of data, or the availability or control of your IT systems
- affects a large number of customers
- results in unauthorised access to, or malicious software present on, your information and communication systems.
We will update these requirements in line with any future regulations.
How to report a cyber incident
1. If you judge a cyber incident to be material, report it as follows:
- Fixed firms should contact their named FCA supervisors, and flexible firms should call 0300 500 0597 or email [email protected]
- If your firm is dual-regulated, you should also contact the Prudential Regulation Authority
- If the incident is criminal, you should contact Action Fraud or call them on 0300 123 2040
- If the incident is a data breach, you may need to report it to the Information Commissioner's Office.
2. Refer to the NCSC guidance on reporting incidents
3. Share on the CiSP platform