Financial services firms are being urged to assess whether their incident response capabilities can meet new cyber reporting requirements confirmed by the Financial Conduct Authority alongside the Prudential Regulation Authority and the Bank of England.

Due to take effect in March 2027, the rules introduce stricter reporting timelines and increased scrutiny of third-party risk.

Chris Butler, resilience director at Databarracks, said: “The new rules have not emerged in isolation. They come amid significant regulatory and parliamentary momentum, including the Cyber Security and Resilience Bill and the Cyber Ransomware Reporting Bill. These measures reflect a clear expectation from regulators that firms must have incident response procedures capable of meeting precise, time-bound obligations.

“Exercises should be demanding and rigorous, updated frequently, and integrate excellent business continuity measures to keep the business running in manual or minimum operating conditions. Comprehensive backups are also essential to recover systems if data is lost. These exercises must also prove the organisation can meet the required reporting timescales in a real-life incident.”

Regulatory data suggests that more than 40% of cyber incidents reported to the FCA in 2025 involved a third party. Under the new rules, firms must maintain third-party registers and retain responsibility for reporting incidents, even where suppliers are involved.

“If the cause of a breach is a third party, the obligation to report and manage it does not transfer to that supplier; it sits with the regulated firm,” Butler added. "Organisations need robust supplier monitoring arrangements and clear contractual obligations to reflect this.”

Ransomware payment restrictions taking shape in Parliament add a further dimension that firms cannot afford to overlook.

“For firms that cannot legally pay a ransom, the question becomes very practical. How do you avoid causing real harm to customers if that option is off the table? The answer depends on whether business continuity measures have been tested and whether solid, verified backups and a proven recovery process are in place,” he added. “The rules set a clear bar. Whether firms can clear it depends on the work they have already done to test and rehearse their response. Resilience treated as an operational discipline looks very different from resilience treated as an annual compliance task.”

---