Cyber resilience

Cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.

Our goal is to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.

Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets - hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.

Cyber security is a shared responsibility, and we take a co-operative approach to address this threat, working with government, other regulators, nationally and internationally on this important issue.


The National Cyber Security Centre provides a broad range of guidance on how firms can protect their information and systems and how to respond to a cyber attack. We have also published a number of different publications and webpages on cyber security:

  • Nausicaa Delfas, our chief operating officer, delivered a speech outlining our approach to cyber resilience in September 2016.
  • She also delivered a speech on the current threat landscape in April 2017.
  • We have published guidance for firms outsourcing to the ‘cloud’ and other third-party IT services.
  • We have published information on fake emails from the FCA.
  • We have published a statement on the recent ransomware attack.

Reporting a cyber incident

Under Principle 11, you must report material cyber incidents. You may consider an incident material if:

  • it results in significant loss of data, or the availability or control of your IT systems
  • it impacts a large number of victims
  • it results in unauthorised access to, or malicious software present on, your information and communication systems

These requirements will be updated in line with any future regulations.

How to report a cyber incident

If you judge an incident to be material (under Principle 11), you should report it to the following authorities: