Kyanite Blue
Compliance & Regulation

FCA Cybersecurity Requirements: What UK Financial Firms Must Have in Place

In 2018, the FCA fined Tesco Bank £16.4 million after a cyberattack led to fraudulent transactions on 34,000 accounts — not because the bank was attacked, but because it failed to exercise due skill, care and diligence in managing its cybersecurity defences. That precedent has never been reversed. Every FCA-regulated firm — from a one-person IFA to a mid-tier wealth manager — is expected to demonstrate documented, tested, and proportionate security controls. The question is not whether the FCA cares about cybersecurity. It is whether your firm can prove it does too.

FCA fined Tesco Bank £16.4M in 2018 for failing to prevent a cyberattack — the largest cyber-related fine in UK financial services at the time.

What FCA Rules Actually Require

The FCA does not publish a cybersecurity checklist, but its Handbook contains clear obligations that security controls must satisfy:

  • SYSC 13.7: Firms must take reasonable care to establish and maintain effective systems and controls for countering the risk that the firm might be used for financial crime
  • SYSC 13.9: Firms must assess risk from third-party IT providers and ensure adequate business continuity arrangements
  • SYSC 6.1.1: Systems and controls must be appropriate to the nature, scale and complexity of the business
  • PS21/3 (Operational Resilience): Firms must identify important business services, set impact tolerances, and demonstrate they can remain within tolerance during severe but plausible disruption
  • FCA Principle 3: A firm must take reasonable care to organise and control its affairs responsibly — including IT security
  • GDPR / UK GDPR (joint FCA/ICO jurisdiction): Firms must implement appropriate technical and organisational measures to protect personal data

The FCA Enforcement Pattern You Need to Understand

FCA cyber enforcement actions share a consistent pattern: the regulator finds not just that an attack occurred, but that the firm failed to implement controls proportionate to the risk it faced. Tesco Bank had known vulnerabilities in its payment systems that attackers exploited. The FCA's position is that firms which have not conducted documented threat assessments, tested their incident response, and implemented basic controls — MFA, patching, network segmentation, staff training — cannot credibly argue they met their SYSC obligations. Firms under active FCA supervision should expect cybersecurity to feature in their supervisory review.

Controls the FCA Expects to See Documented

Based on FCA enforcement, Dear CEO letters, and the operational resilience policy framework, regulators expect firms to maintain evidence of:

  • A documented information security policy, approved by senior management (SMCR Senior Manager accountable)
  • Annual cyber risk assessments mapped to important business services
  • Multi-factor authentication on all email, client portals, and remote access systems
  • A tested cyber incident response plan — tested meaning tabletop or live exercise in the past 12 months
  • Third-party risk management: due diligence records for all material IT and data vendors
  • Staff security awareness training — documented, dated, with attendance records
  • Vulnerability scanning and patching cadence — with evidence of remediation timelines
  • Backup and recovery testing: not just backups taken, but restoration tested

How Kyanite Blue Helps FCA-Regulated Firms Demonstrate Compliance

Coro delivers endpoint protection, email security, and identity controls across your firm — producing the audit trail FCA supervisors expect. Every policy applied, every threat blocked, and every anomaly flagged is logged and reportable. For firms that need to demonstrate proportionate, documented controls without building an in-house security team, Coro backed by Collective IP's managed service gives you the defensible compliance posture the FCA requires — and evidence of it when you need it most.

Frequently Asked Questions

Does the FCA require Cyber Essentials certification?

The FCA does not mandate Cyber Essentials, but the NCSC strongly recommends it for all financial services firms, and many professional indemnity and cyber insurers now require it as a condition of cover. Cyber Essentials demonstrates the baseline controls — MFA, patching, firewall configuration, access controls — that the FCA expects to see in any firm's control environment.

What must we report to the FCA after a cyber incident?

Firms must notify the FCA of any material cyber incident through the FCA's online reporting system. The FCA considers an incident material if it results in significant loss of data, unavailability of systems, or impact on clients. PS21/3 requires firms to notify the FCA and PRA within 72 hours of becoming aware of a major operational incident. Separately, the ICO must be notified within 72 hours if personal data is at risk.

We are a small IFA — do FCA cybersecurity rules apply to us?

Yes. The FCA applies a proportionality standard — smaller firms are not expected to have the same controls as a major bank — but all regulated firms must have controls appropriate to their scale and the data they hold. An IFA holds client financial data, investment portfolios, and personal information. That is sufficient to require documented policies, MFA, staff training, and a basic incident response plan.

Get a free FCA compliance gap assessment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides