In the face of the growing threat posed by hackers targeting the financial sector, regulators in the U.K. are adopting a new regime that aims to make it easier for firms to report attacks so that regulators can also respond more quickly.
The U.K.’s Financial Conduct Authority (FCA) announced on Wednesday that it’s finalized new rules intended to speed up the industry’s reporting of cybersecurity incidents that attack firms directly, or through third-party technology providers.
The regulator noted that cyberattacks on the financial industry are “becoming more frequent and more sophisticated” – and that they’re increasingly targeting external technology suppliers.
“In 2025, over 40% of cyber incidents reported to us involved a third party and we have seen several recent high-profile incidents impacting the financial services sector including the Cloudflare and AWS outage,” the FCA reported.
Additionally, as the industry becomes more interconnected, cyberattacks “can have an even bigger impact,” it said — representing a growing systemic vulnerability.
As a result, it’s seeking to improve the industry’s reporting of these kinds of incidents, to enable regulators to respond more quickly and effectively to potentially-systemic disruptions.
Among other things, the new rules, which will take effect on March 18, 2027, aim to eliminate duplicative reporting obligations; create a single reporting portal for the FCA, along with the Prudential Regulation Authority (PRA) and Bank of England; and revise the sort of information that firms are required to report.
“These new rules will help us respond quickly to disruption such as a cyber attack or power outage, give firms greater certainty on what to report and when and strengthen firm resilience to better protect consumers and markets,” the FCA said.
In a release, Mark Francis, director of specialists and wholesale sell-side at the FCA, said the new reporting regime gives “firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.”
He said the FCA will use the data collected in cyber-incident reports to “help firms bolster their operational resilience and share relevant information with industry, where appropriate during widespread disruption, particularly in stressed market conditions.”
Two years after the new reporting regime has been implemented, the FCA will review its results “to ensure it works effectively for firms and delivers the outcomes we expect,” the regulator said.