FCA Cyber Incident Reporting: Frequently Asked Questions
The FCA's cyber incident reporting requirements are among the most commonly misunderstood obligations in financial services. Firms frequently ask: does this incident need to be reported? How quickly? What happens if we report late? What information do we need to provide? Following the ION Group and Finastra incidents — and with DORA's incident reporting framework now in force for firms with EU exposure — these questions have never been more operationally critical. This FAQ answers them definitively.
FCA expects notification of material operational incidents within 72 hours of becoming aware — a deadline that runs in parallel with the ICO's GDPR notification window.
The Core Reporting Framework
FCA cyber incident reporting sits within the broader FCA operational incident reporting framework established by PS21/3. The key principles:
- All FCA-regulated firms are required to notify the FCA of material operational incidents — including cyber incidents — as soon as they become aware
- The FCA considers an incident material if it results in significant loss of data, unavailability of systems for a significant period, significant financial loss, or significant impact on consumers
- Initial notification is expected within 72 hours of becoming aware — this is the FCA's published expectation, aligned with the ICO's GDPR notification window
- Firms must also notify the FCA when they become aware that an incident may become material — proactive, not reactive, notification is expected
- Dual regulated firms (regulated by both FCA and PRA) must notify both regulators
Frequently Asked Questions
What counts as a "material" cyber incident for FCA reporting purposes?
The FCA does not publish a precise definition of materiality — it applies a facts and circumstances test. An incident is likely material if it: (1) affects the availability, integrity, or confidentiality of systems supporting important business services; (2) results in significant data loss, including personal data of clients or staff; (3) causes or threatens significant financial loss to the firm or its clients; (4) affects a significant number of clients; or (5) results in the firm breaching regulatory requirements. When in doubt, the FCA's expectation is that firms err on the side of notification. The cost of a late or missed notification is significantly higher than the cost of notifying an incident that subsequently proves non-material.
We were attacked but contained the incident before any data was lost. Do we still need to notify?
Possibly yes. The FCA's expectation is that firms notify when they become aware of an incident that may be material — the absence of confirmed data loss does not mean an incident is non-material. If your systems were compromised, if the attack affected important business services, or if the attacker had access to client data even briefly, the incident may be reportable. You should conduct a documented materiality assessment for every incident and maintain a record of your assessment — even for incidents you determine are not reportable.
What information must we provide in an FCA cyber incident notification?
Initial notifications should include: the nature and scope of the incident (what happened, which systems were affected); when the incident was discovered and when it began; the impact on clients and business services; what immediate steps have been taken to contain or remediate; whether personal data is involved (ICO notification may also be required); and your contact details for follow-up. The FCA expects follow-up reports as the incident develops and a final report when remediation is complete. You do not need to have all the answers before notifying — initial notification with the information you have is better than delayed notification while you investigate.
What happens if we notify the FCA late?
Late notification can itself constitute a regulatory breach. The FCA has sanctioned firms for failing to notify incidents promptly — both in cyber cases and in broader operational incidents. In practice, the FCA's response to an incident notification considers both the underlying incident and the firm's conduct in managing and reporting it. A firm that notifies promptly, demonstrates it had a tested incident response plan, and cooperates fully with the FCA's enquiries is in a substantially better position than one that delayed notification and had no documented response procedure.
Do we need to notify clients as well as the FCA after a cyber incident?
Client notification requirements depend on the nature of the incident. If personal data was involved, GDPR requires you to assess whether notification to affected individuals is necessary — the ICO provides guidance on when individual notification is required. If clients face financial risk or need to take action (e.g., change passwords, monitor accounts), the FCA expects prompt client communication. For incidents involving potential financial loss to clients — such as account compromise or payment fraud — client notification should typically happen in parallel with regulatory notification, not after it.
Build an FCA-compliant incident response capability
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.