Information about cyber incidents - September 2025

1. Please can you provide information on the total number of material cyber incidents reported to the FCA between the period 1st January 2024 and 31st December 2024? The FCA previously defined a material cyber incident https://www.fca.org.uk/publication/documents/cyber-security-infographic.pdf.
2. Of the total number of material cyber incidents reported (answer to question A), how many of these were cyber-attacks?
3. Of the total number of material cyber incidents reported (answer to question A), how many contained notifications where the confidentiality of company or personal data may have been compromised or breached?
4. Of the total number of material cyber incidents reported (answer to question A), how many involved ransomware?

In response to your request, it may be helpful to know that we hold centralised records on material operational incidents reported to the FCA by individual firms under SUP 15.3 and Principle 11. This includes incidents that are a result of cyber-attacks.

These figures do not include incidents at FCA regulated firms that have not been reported directly to the FCA.

Please note, that all data/information is from 1 January 2025 to 16 September 2025 and is subject to change where there are ongoing investigations of incidents and root causes.

Please also note, there is often a delay between the incident, its detection and reporting.  This can mean that, in certain circumstances, incidents reported in a specified period may refer to incidents that occurred outside of that period.

Clarification: Material Cyber Incident and Cyber Attack

Incidents are categorised into three principal domains: Cyber, Technology, and Non-Technology.

• Technology: Includes, but is not limited to, delayed payments, late submissions, customer connectivity failures, change management deficiencies, and database malfunctions.
• Cyber: Encompasses incidents arising from malicious activity, including phishing, distributed denial-of-service (DDoS) attacks, and ransomware.
• Non-Technology: Covers incidents such as power outages attributable to natural disasters or theft.

Cyber incidents are further divided primarily into two high level root cause elements:

• Cyber Attacks: Malicious acts directed against the Firm, including phishing, DDoS, and ransomware.
• Third-Party Cyber: Equivalent malicious acts perpetrated against third-party entities, that impact a regulated entity.
• Other: Other categories that fall within cyber incidents that make up a smaller proportion of total number of cyber incidents.

For reporting purposes, material cyber incidents are recorded under the domain Cyber, for Cyber Attacks this indicate malicious attacks directed against a FCA regulated entity (and does not include cyber-attacks on third parties that impact a regulated entity).