Cyber resilience

Cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.

Our goal is to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.

Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets - hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.

Cyber security is a shared responsibility, and we take a co-operative approach to address this threat, working with government, other regulators, nationally and internationally on this important issue.


The National Cyber Security Centre provides a broad range of guidance on how firms can protect their information and systems and how to respond to a cyber attack. We have also published a number of different publications and webpages on cyber security:

Reporting a cyber incident

Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:

  • results in significant loss of data, or the availability or control of your IT systems
  • affects a large number of customers
  • results in unauthorised access to, or malicious software present on, your information and communication systems

We will update these requirements in line with any future regulations.

How to report a cyber incident

1. If you judge a cyber incident to be material, report it as follows:

2. Refer to the NCSC guidance on reporting incidents.

3. Share on the CiSP platform.

Cyber and operational resilience testing

To help both firms and us to understand their cyber resilience capability at a high level, the FCA and PRA have created a self-assessment questionnaire. CQUEST consists of multiple-choice questions covering aspects of cyber resilience, such as: 

  • Does the firm have a board-approved cyber security strategy? 
  • How does it identify and protect its critical assets? 
  • How does it detect and respond to an incident, recover the business and learn from the experience?

The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development. If you would like to complete the questionnaire please email: [email protected]

The FCA has created a broader operational resilience self-assessment questionnaire to help both firms and us understand their operational resilience (including cyber) capabilities. If you would like to complete the questionnaire please email: [email protected]