In 2025, over 40% of cyber incidents reported to the UK Financial Conduct Authority (FCA) involved a third party. It is with this in mind that the FCA has introduced updated rules and guidance for operational incident and material third party reporting. 

The new rules, published in March 2026 and coming into force on 18 March 2027, create a single reporting portal shared with the Prudential Regulation Authority and Bank of England, removing duplicated requirements that previously applied to payment service providers and credit rating agencies. 

The updated standards are designed to give financial services firms greater clarity on which cyber incidents to report and when, aiming to strengthen sector-wide cyber and business resilience. 

As the threat to financial firms grows, what do the new rules say and what should companies in the sector be doing to shore up security?  

Attractive Target  

Financial firms are a particularly attractive target for attackers. “The sector holds high-value data, processes enormous transaction volumes, and increasingly relies on interconnected vendors and cloud providers to deliver core services – each dependency a potential entry point for attackers,” says Tom Miller, principal consultant at AMR CyberSecurity.  

While supply chain risks affect all sectors, in financial services, where third-party outages can freeze payments or expose customer data at scale, the stakes are “especially high,” Miller points out.  

Problems at one provider can now affect several firms at once, says Bogdan Chirila, director in the cybersecurity team at Alvarez & Marsal.  

The growing use of AI-enabled tools and automated decision systems within those services is adding another layer of complexity, he says. “This is changing how risks materialise and how quickly they spread.” 

The FCA’s Updated Rules 

Under the FCA’s updated rules, the reporting process has been “deliberately simplified” for most firms, says Miller.  

The rules require firms to complete a short form covering the essentials of an incident, with the FCA able to follow up where more detail is needed.  

Meanwhile, Miller describes how “a smaller subset of higher-risk firms,” including banks, insurers, payment service providers and designated investment firms, will follow a more detailed reporting process. “They will need to submit reports across three phases: initial, intermediate, and final,” he explains. 

Alongside the rules, the FCA has published finalised guidance (FG26/3 and FG26/4) covering incident and material third party reporting. “These add clearer guidance on thresholds, definitions, and responsibilities, directly addressing what firms said they needed most,” according to Miller. 

The announcement follows industry feedback during the FCA's December 2024 consultation. “That revealed many firms were genuinely uncertain about which incidents to report and what information to include,” Miller explains.  

At the same time, inconsistent reporting made it difficult for the regulator to identify emerging risks and respond effectively. “The new rules are designed to fix that, offering firms a clear, structured process and giving the FCA better data to act on,” Miller says. 

The FCA’s updated rules bring “much-needed clarity on incident reporting,” directly addressing the industry’s uncertainty, says Matt Cooke, EMEA cybersecurity strategist at Proofpoint. “This should be seen as a strategic move to strengthen cyber resilience, transforming uncertainty into actionable insights, with the aim of promoting industry-wide collaboration.” 

Emerging Threats  

The FCA’s rules come at the ideal time. The financial sector is facing a number of emerging threats that will impact firms in the future.  

Beyond traditional ransomware, the sector is facing “severe systemic risks” from "single points of failure" in cloud and service provider infrastructure, says Dray Agha, senior manager of security operations at Huntress.  

“One vendor outage can cascade across multiple institutions, alongside the rapid weaponisation of artificial intelligence by threat actors to execute highly convincing, automated attacks at scale,” he says. 

Indeed, AI is reshaping the threat picture in both directions, experts say. “While firms are adopting AI to improve fraud detection and operational efficiency, threat actors are using it to generate more convincing phishing campaigns, automate vulnerability exploits, and accelerate the development of malware,” says Miller. 

A significant new frontier involves AI agents making “human” mistakes, according to Cooke. “Agents can be prompt engineered, leak credentials, run risky code, or overshare data. AI deployments, such as Copilot and ChatGPT, are significantly increasing data exposure as agents access broadly shared files and surface data users did not intend to expose. “ 

Geopolitical instability is another driver. “State-sponsored threat actors are increasingly targeting critical financial infrastructure, with attacks designed to destabilise markets and erode public confidence,” Miller warns. 

Minimum Standard For Security  

With threats such as these predicted to surge, the FCA’s updated rules should serve as a minimum standard for security. Firms have 12 months to prepare before the rules take effect in March 2027. This “should go beyond updating reporting templates”, Miller says. 

The rules align with a broader regulatory direction of travel that firms should be tracking, says Miller. “The EU's Digital Operational Resilience Act (DORA) and the UK's pending Cyber Security and Resilience Bill both reflect the same underlying concern: that operational resilience cannot be treated as an afterthought. Firms operating across jurisdictions need to ensure their frameworks are coherent across these overlapping requirements, not managed in silos.” 

The first priority is getting clarity on your third party landscape, Miller advises. “The FCA's material third party guidance (FG26/4) requires firms to assess which suppliers and vendors meet the threshold of 'material', meaning a disruption or failure could cause serious harm to clients or the firm's ability to operate. Firms should be thinking about their key IT suppliers, suppliers with access to their premises and data – theirs or their clients. This assessment needs to be systematic, documented, and refreshed regularly.” 

At the same time, incident response plans and processes should be “fast and structured,” according to Miller. “The new rules require most firms to report within 24 hours of determining a threshold has been met, and enhanced reporting firms must move even faster. I would recommend that these plans are tested regularly, to ensure they remain current and effective.” 

Governance matters, says Miller. “The FCA expects firms to establish clear accountability for meeting reporting obligations. In practice, this means senior leadership ownership, not just a compliance or IT team function. Organisations must ensure board-level visibility and ownership of operational and cyber risk.” 

Kate O'Flaherty Cybersecurity and privacy journalist