On May 18, 2017, the FCA published a new Web page on cyber resilience.

The FCA notes that cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.

The FCA’s goal is to help firms become more resilient to cyberattacks while ensuring that consumers are protected and market integrity is upheld. To achieve this, firms of all sizes should:

• Develop a “security culture” from the board down to every employee.
• Be able to identify, prioritize and protect their information assets (that is, hardware, software and people).
• Detect breaches.
• Respond to and recover from incidents.
• Constantly evolve to meet new threats.

Under Principle 11 of the FCA’s Principles for Businesses, firms must report material cyber incidents. A firm may consider an incident to be material if it:

• Results in significant loss of data or the availability or control of the firm’s IT systems.
• Impacts a large number of victims.
• Results in unauthorized access to, or malicious software present on, the firm’s information and communication systems.

These requirements will be updated in line with any future regulations.

Where a firm considers an incident to be material for Principle 11 purposes, it should report this to the FCA and other relevant authorities, including the PRA if the firm is dual-regulated, and to the Information Commissioner’s Office (ICO) if the incident is a data breach.

The FCA states that cybersecurity is a shared responsibility. It takes a cooperative approach to address the threat, working with government and other regulators, nationally and internationally. The Web page contains a link to the National Cyber Security Centre (NCSC) website, together with links to relevant FCA publications.