What Has the FCA Changed?

The FCA has acknowledged that incident reporting across the industry has not always been consistent. Firms have called for clearer guidance on what should be reported, when it should be reported, and what level of information is required.

In response, the FCA has introduced more structured and consistent rules covering:

• Operational incident reporting, including cyber attacks and technology outages.
• Third party reporting, where disruption originates from suppliers or service providers.

To reduce complexity, the reporting framework has been streamlined and aligned with the Prudential Regulation Authority (PRA) and the Bank of England. This includes a single reporting portal, clearer thresholds, and simplified reporting expectations for most firms.

Why Third Party Risk Is Central to the Update

One of the key drivers behind the new rules is the increasing role of third parties in cyber incidents.

The FCA has confirmed that over 40% of cyber incidents reported in 2025 involved a third party provider, highlighting how often disruption sits outside a firm’s direct control.

Recent high profile outages affecting major cloud and infrastructure providers have reinforced this point. Even organisations with strong internal controls can be impacted when a critical supplier experiences an incident.

The FCA’s position reflects a clear shift in regulatory thinking. Operational resilience is no longer assessed solely on internal systems. It now extends across the entire technology and supplier ecosystem that supports business operations.

Why This Matters Beyond Regulated Firms

Although these rules are aimed at FCA regulated organisations, the principles behind them apply to almost every modern business.

Most UK organisations now rely on:

• Cloud platforms such as Microsoft 365 and Azure
• Managed IT and cyber security providers
• Software as a service (SaaS) applications
• External suppliers with system or data access

When incidents occur in these environments, the impact can be immediate. Without clear monitoring and response processes in place, organisations may struggle to detect issues early or fully understand their scope and impact.

The FCA’s update reinforces an expectation that organisations understand where their risks sit, can identify disruption quickly, and are prepared to respond, even when the issue originates outside their own network.

Operational Resilience Depends on Visibility and Response

Modern cyber incidents are not always obvious. Many begin quietly through trusted access, misused permissions, or supplier systems rather than overt attacks.

Without continuous visibility and a defined incident response approach, organisations may find it difficult to:

• Detect incidents early
• Assess their scope and potential impact
• Respond confidently under pressure
• Meet governance, audit, or reporting expectations

This is why regulators are increasingly prioritising operational resilience, not just preventative security controls.