Kyanite Blue
Practical Guides

Cyber Incident Response for Financial Services: FCA, ICO, and Client Notification in 72 Hours

When a cyber incident strikes a financial services firm, the clock starts immediately — and the regulatory notification deadlines run in parallel with the technical response. The FCA expects notification of material operational incidents within 72 hours. The ICO requires GDPR breach notification within the same window. Client notification may be required within hours if there is risk of immediate financial harm. For a firm without a tested incident response plan, attempting to manage a live incident, contain the damage, investigate the cause, and meet three regulatory notification timelines simultaneously is — practically speaking — impossible. This guide sets out the sequence.

FCA expects notification of material cyber incidents within 72 hours — the same window as ICO GDPR breach reporting. Both clocks start from awareness, not from the incident itself.

Hours 0–4: Immediate Containment and Command

The first four hours are the most critical — decisions made in this window determine whether a manageable incident becomes a catastrophic one:

  • Activate your incident response plan: Identify the incident commander (the Senior Manager accountable under SMCR); convene the response team
  • Contain before you investigate: Isolate affected systems from the network — disconnect rather than shut down to preserve forensic evidence; consider whether to disable compromised accounts
  • Preserve evidence: Do not reinstall, reformat, or power down affected devices without forensic preservation. Engage your incident response provider immediately
  • Assess scope: What systems are affected? What data may have been compromised? Is the attack ongoing?
  • Notify key internal stakeholders: CEO, CFO, General Counsel, compliance team — they need to know now
  • Contact your cyber insurer: Most cyber insurance policies require notification within hours — check your policy. Your insurer may provide incident response support

Hours 4–24: Regulatory Assessment and Notification Decision

Once initial containment is achieved, the regulatory notification assessment begins:

  • FCA notification: Is this a material operational incident? Material means: significant loss of data, unavailability of services affecting clients, or significant impact on financial stability. If yes, notify via Connect within 72 hours
  • ICO notification: Has personal data been compromised or is there risk of compromise? If yes, 72-hour notification obligation under UK GDPR Article 33 is triggered
  • PRA notification (if applicable): Banks and insurers must notify the PRA separately — same 72-hour timeframe
  • PSR notification (if applicable): Payment service providers must notify the PSR of major operational or security incidents
  • Client notification: If there is risk of immediate client financial harm — such as fraudulent payment instructions — notify affected clients without waiting for the full investigation
  • Legal privilege: Engage legal counsel immediately — external legal advice on response actions can attract legal professional privilege, protecting the investigation from regulatory disclosure

Hours 24–72: Investigation, Remediation, and Regulatory Reporting

The 24–72 hour window is where the formal regulatory notifications are drafted and submitted, and where the remediation begins:

  • FCA initial notification: Submit the initial notification through the FCA's Connect system — the FCA expects a prompt notification even if full details are not yet known
  • ICO notification: Complete the ICO breach notification form — you can notify with incomplete information and update subsequently
  • Board notification: Brief the board and relevant Senior Managers — decisions about client notification, media response, and further escalation require board-level involvement
  • Forensic investigation: Your incident response provider should be conducting parallel forensic investigation — root cause, attack vectors, data exfiltrated, systems compromised
  • Remediation: Begin remediating confirmed vulnerabilities — but do not remove attacker access until forensic preservation is complete
  • Client communication: If client data is confirmed compromised, prepare and send client notification — GDPR requires notification without undue delay when there is high risk to individuals

After 72 Hours: Recovery, Review, and Regulatory Follow-Up

The 72-hour window closes but the regulatory obligations continue. The FCA and ICO expect follow-up reports within defined timeframes — the FCA typically expects a detailed incident report within 7 days and a root cause analysis within 30 days. The ICO may request further information about the breach and remediation. The PRA may conduct a supervisory review. Internally, the incident must trigger a formal post-incident review: what failed, what worked, what must change. The findings of that review feed into the firm's PS21/3 self-assessment and control improvement programme — and demonstrate to regulators that the firm is learning and improving.

Frequently Asked Questions

What exactly does "material incident" mean for FCA notification purposes?

The FCA defines material operational incidents as those that result in: significant loss of data, significant unavailability or loss of services, financial crime (actual or risk), or a significant impact on financial stability. In practice, any ransomware attack on core systems, any confirmed data breach involving client data, and any incident causing client-facing service disruption for more than a few hours should be presumed material and reported. Under-reporting a material incident is a regulatory breach in itself.

Can we notify the FCA before we know the full extent of the incident?

Yes — and you should. The FCA expects prompt notification even when the full picture is not yet known. An initial notification that says "we have detected a cyber incident affecting our core systems, investigation is ongoing, we will update within 24 hours" satisfies the notification obligation. The FCA's concern is with firms that delay notification while attempting to fully investigate — the notification clock runs from when you become aware, not when you finish investigating.

Do we have to tell our clients we have been hacked?

GDPR requires you to notify affected individuals "without undue delay" when a breach is likely to result in a high risk to their rights and freedoms — which in financial services typically means risk to their money or financial identity. The notification must be direct to the individual (not via press release), must explain what happened, what data was involved, and what they should do to protect themselves. If there is no high risk to individuals — for example, encrypted data on a device that was not accessed — individual notification may not be required, but you should still assess and document the decision.

Test your incident response plan before an incident occurs

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Collective IP

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides