Cyber resilience

Cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.

Our goal is to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.

Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets - hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.

Cyber security is a shared responsibility, and we take a co-operative approach to address this threat, working with government, other regulators, nationally and internationally on this important issue.

On January 3, we became aware of some critical security vulnerabilities — known as Meltdown and Spectre — that affect modern computer processors.  This means that actions that would have normally been difficult for an attacker, such as obtaining passwords, are theoretically easier. The National Cyber Security Centre (NCSC) has provided guidance for individuals and companies seeking further detail and advice on protecting themselves.

Publications

The National Cyber Security Centre provides a broad range of guidance on how firms can protect their information and systems and how to respond to a cyber attack. We have also published a number of different publications and webpages on cyber security:

Reporting a cyber incident

Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:

  • results in significant loss of data, or the availability or control of your IT systems
  • affects a large number of customers
  • results in unauthorised access to, or malicious software present on, your information and communication systems.

We will update these requirements in line with any future regulations.

How to report a cyber incident

1. If you judge a cyber incident to be material, report it as follows:

2. Refer to the NCSC guidance on reporting incidents

3. Share on the CiSP platform