Information on financial advice firms reporting cyber incidents - February 2026

1. Please provide information on the number of financial advice firms who reported a material cyber incident to the FCA in the years 2023, 2024, and 2025?
2. The total number of material cyber incidents reported to the FCA by financial advice firms in the years 2023, 2024 and 2025.
3. Of the number of material cyber incidents reported by financial advice firms (answer to question B), how many of these were cyber attacks?

Please note that under Principle 11 of the FCA’s Principles for Businesses, firms are required to deal with the FCA in an open and cooperative way and to disclose to us appropriately anything relating to the firm of which the FCA would reasonably expect notice. SUP 15.3 sets out additional rules and guidance on when the FCA would expect notice of matters relating to a firm. This means that the FCA is likely to expect a firm to report material operational incidents to the FCA. An incident may be material if it:

• results in a significant loss of data
• results in the unavailability or control of IT systems
• affects a large number of customers
• results in unauthorised access to information systems

This list is not exhaustive. 

It may be helpful to explain that we hold centralised records on material operational incidents reported to the FCA by individual firms under Supervision manual (SUP) 15.3 and Principle 11. This includes incidents that are a result of cyber-attacks. 

These figures do not include incidents that have not been reported directly to the FCA. 

The data provided is accurate as of 20 January 2026 and is subject to change where there are ongoing investigations of incidents and root causes. 

Delays between incident detection and reporting may mean that some incidents are reported in a different time period.

For this request we have used the information submitted by firms that are supervised in the “Advisers and intermediaries” portfolio. It may be helpful to know that we define this portfolio as financial advisers and intermediaries that are personal investment firms (PIFs) that carry out designated investment business, generally without holding client money. For financial advisers, the primary regulated activity will be advising on investments. For retail investments intermediaries, regulated activities will include making arrangements with a view to transactions in investments, arranging deals in investments and dealing in investments. 

It may also be the case that not all firms that provide financial advice services are categorised in the “Advisors and intermediaries” portfolio.

We categorise incidents reported to us into three principal domains:

• Technology: Includes, but is not limited to, delayed payments, late submissions, customer connectivity failures, change management deficiencies, and database malfunctions.
• Cyber: Encompasses incidents arising from malicious activity, including phishing, distributed denial-of-service (DDoS) attacks, and ransomware.
• Non-Technology: Covers incidents such as power outages attributable to natural disasters or theft.

Cyber incidents are further divided into two primary high-level root cause elements:

• Cyber Attacks: Malicious acts directed against the Firm, including phishing and/or credential compromise, DDoS, ransomware, etc.
• Third-Party Cyber: Equivalent malicious acts perpetrated against third-party entities, that impact a regulated entity. 

For this request, material cyber incidents are recorded under the domain Cyber, for Cyber Attacks this indicates malicious attacks directed against a FCA regulated entity (and does not include cyber-attacks on third parties that impact a regulated entity)

We now turn to your request. Please find below response to your questions. In considering the data provided, please note that this information is based on the date of the notification made to the FCA, not the date the incident took place.