Information on cyber security - December 2025

FOI Release Date of Release:

Reference Case Number: FOI2025/01435

Freedom of Information: Right to know request:

1. The total number of material cyber incidents reported to the FCA in the financial years: 2019-20, 2020-21, 2021-22, 2022-23, 2023-24, 2024-25, and 2025-26 (so far).

2. For each of the years, please provide a subcategory of the number of material cyber incidents that were attributed to cyber-attacks, that were attributed to ransomware, that were attributed to Distributed Denial of Service, that were attributed to phishing.

If you estimate that this request will extend beyond the time and budget cap if completed in full, please prioritise the years 2025-26 (so far), 2024-25 and 2023-24 (in that order).
 

FCA response:

It may be helpful to explain that we hold centralised records on material operational incidents reported to the FCA by individual firms under Supervision manual (SUP) 15.3 and Principle 11. This includes incidents that are a result of cyber-attacks.

These figures do not include incidents that have not been reported directly to the FCA.

The data provided is accurate as of 25 November 2025 and is subject to change where there are ongoing investigations of incidents and root causes. 

Delays between incidents, detection and reporting may mean some instances are reported in a different time period.

Incidents are categorised into three principal domains: 

  • Technology: Includes, but is not limited to, delayed payments, late submissions, customer connectivity failures, change management deficiencies, and database malfunctions.
  • Cyber: Encompasses incidents arising from malicious activity, including phishing, distributed denial-of-service (DDoS) attacks, and ransomware.
  • Non-Technology: Covers incidents such as power outages attributable to natural disasters or theft.

Cyber incidents are further divided into two primary high-level root cause elements:

  • Cyberattacks: Malicious acts directed against the Firm, including phishing and/or credential compromise, DDoS, ransomware, etc.
  • Third-Party Cyber: Equivalent malicious acts perpetrated against third-party entities that impact a regulated entity.

We now turn to your request. Please find below response to your questions below:

More information

Freedom of information