The Financial Conduct Authority has finalised new rules and guidance aimed at making cyber incident and third-party disruption reporting more consistent across UK financial services. Commenting on the change, Arqit said the reform reflects a broader shift in operational risk as more essential systems, data, and services sit outside an organisation’s direct estate.
The package, developed with the Prudential Regulation Authority and the Bank of England, is designed to streamline how incidents are reported and to improve regulators’ view of weaknesses building across the sector. The FCA said more than 40% of cyber incidents reported to it in 2025 involved a third party, underlining how heavily regulated institutions now depend on external providers for infrastructure and service delivery.
The new framework includes clearer thresholds, definitions, and responsibilities, and will move incident reporting onto a single standardised process. Firms have a year to prepare before the rules come into force on 18 March 2027, and the regulator has published the full rules and guidance.
Michael Murphy, deputy CTO at Arqit, said: “The FCA’s latest guidance reflects how operational risk is changing across the financial sector. As firms rely more heavily on third-party providers, resilience is no longer just about protecting internal systems — it extends across a much wider and often more complex digital supply chain.”
Murphy said the reporting changes should help institutions and regulators react faster when services fail, but argued that disclosure on its own will not solve the deeper issue created by shared infrastructure. As more critical workloads run across cloud, outsourced, and platform-based environments, the challenge for banks, insurers, and payments businesses is not only knowing when something has gone wrong, but retaining meaningful control over the assets customers rely on.
He added: “Clearer rules around incident and third-party reporting are a positive step. They should help firms respond more quickly to disruption and give regulators better visibility into emerging risks. But they also highlight a deeper issue. If a growing share of incidents originate outside a firm’s direct control, then reporting alone can only go so far.”
Murphy pointed to encryption and confidential computing as part of that next layer of resilience. “Encryption is playing a much bigger role than many organisations realise,” he said. “That’s why approaches like confidential computing are gaining traction — because they allow sensitive workloads to remain protected even while they are being used.”
The FCA has framed the reforms as part of a wider resilience push, following recent high-profile outages affecting financial services supply chains. For regulated businesses, the direction is becoming more explicit: map dependencies more clearly, report material disruption faster, and strengthen the technical controls that remain effective even when data and processing move beyond the perimeter.
