Cybersecurity for Financial Services: Regulatory Requirements

Cybersecurity for financial services in the UK is governed by a layered framework of obligations and understanding who expects what is the first step to compliance. The Financial Conduct Authority sets the tone through its FCA cybersecurity guidance, which makes clear that firms must manage cyber risk as part of their broader operational and conduct obligations.

Alongside the FCA, the Prudential Regulation Authority places cyber and technology risk at the heart of its supervisory agenda, with PRA operational resilience expectations now embedded in binding policy rather than guidance alone.

For firms with operations or counterparties in the EU, DORA compliance is a pressing concern. The Digital Operational Resilience Act applies directly to EU-regulated entities and their ICT third-party providers, including many UK firms that operate across borders. Even without formal UK transposition, firms with EU exposure are expected to meet DORA's requirements, and the FCA has signalled its intention to align domestic frameworks accordingly.

Taken together, these overlapping authorities create a complex but navigable regulatory environment, provided organisations understand their specific obligations and plan accordingly.

PRA operational resilience requirements ask firms to do something deceptively simple: identify the business services that matter most and prove they can keep delivering them through disruption. In practice, this demands a level of internal clarity that many organisations are still working to achieve.

The PRA and FCA's joint policy statement on operational resilience requires firms to map their important business services, set impact tolerances, and, critically, test whether those tolerances can actually be met. This is not a box-ticking exercise. Regulators expect evidence that scenario testing is realistic, that vulnerabilities have been identified, and that remediation plans are actionable rather than aspirational.

Regarding cybersecurity for financial services, this means aligning security incident response planning with broader business continuity frameworks. A cyber incident does not exist in isolation; it has downstream effects on customer access, data integrity, and regulatory reporting obligations.

UK financial institutions' cyber obligations now extend to demonstrating that important business services can remain within agreed impact tolerances even when a significant cyber event occurs. Firms that treat operational resilience and cybersecurity as separate workstreams will struggle to satisfy regulators on either front.

When a cyber incident occurs, how a firm responds in the first hours matters as much as its technical defences. Incident reporting for financial services is a structured regulatory obligation, not a discretionary communication.

The FCA and PRA both require firms to notify them of significant operational incidents, including those caused by cyberattacks. FCA cybersecurity guidance makes it clear that firms should report material incidents without undue delay, with initial notification expected as soon as a firm becomes aware that a threshold has been met.

The key reporting triggers include:

• Incidents causing a significant impact on the firm's ability to provide services.
• Events affecting many customers or transactions.
• Incidents that could attract reputational damage or media attention.
• Breaches involving the compromise of client data or systems relied upon by third parties.

Following initial notification, firms are expected to provide updates as the incident develops and submit a final report once the matter is resolved. Timelines vary depending on the nature of the incident and the applicable regime, but the direction of travel is consistently towards faster, more detailed disclosure.

Incident reporting for financial services is also expected to improve under proposed FCA reforms published in late 2024, which aim to streamline reporting requirements and bring UK obligations closer into alignment with DORA standards. Firms that invest in clear internal escalation processes and pre-agreed reporting templates will be significantly better placed when an incident occurs.

Third-party risk management for financial services firms has become one of the most scrutinised areas in the regulatory agenda, and the data shows why. Research published by Orange Cyberdefense in February 2025, drawing on a survey of 200 UK CISOs, found that 58% of large UK financial services firms suffered at least one third-party supply chain attack in 2024, with 23% targeted three or more times [2]. Critically, firms that assessed third-party risk only at onboarding suffered attacks at more than double the rate of those that applied continuous monitoring.

Regulators have taken note. The FCA and PRA expect firms to conduct thorough due diligence before onboarding any supplier with access to critical systems or data, and to maintain that scrutiny throughout the relationship. Contractual protections are part of this, and service level agreements should address security standards, audit rights, and incident notification obligations.

But they are not sufficient on their own. Third-party risk management for financial services means ongoing monitoring: regular assessments, right-to-audit clauses exercised in practice, and a clear understanding of which suppliers could cause operational disruption if compromised. Concentration risk, where many firms rely on the same critical third party, is a specific supervisory concern, and regulators expect boards to have visibility of these dependencies.

Penetration testing mandates in financial services are increasingly explicit. Regulators expect firms to test their defences regularly, using both internal capability and independent external expertise, and to act on what they find.

The FCA and PRA do not prescribe a single testing regime, but supervisory expectations are clear: penetration testing should be proportionate to the firm's risk profile, cover critical systems and applications, and be conducted at a frequency that reflects the pace of change in the threat landscape.

For larger, more complex institutions, annual external penetration tests represent a minimum rather than a ceiling. DORA introduces a more structured requirement through its Threat-Led Penetration Testing framework, which mandates advanced testing for significant financial entities and their critical ICT providers. Penetration testing mandates under DORA are designed to simulate real-world attack scenarios, going beyond standard vulnerability assessments to evaluate how well a firm's defences would hold against a sophisticated, targeted threat actor.

The results of testing should feed directly into remediation plans, with findings tracked to closure and reported at board or risk committee level. Regulators regard a firm's approach to security testing as a meaningful indicator of its broader cyber maturity.

Regulatory examinations for cybersecurity are becoming more structured, more frequent, and more technically informed. Supervisors at the FCA and PRA have developed significant in-house expertise, and firms that prepare for examinations as if they were primarily a paperwork exercise will find themselves caught out.

Current examination priorities for cybersecurity in financial services include:

• Governance and board oversight of cyber risk, including evidence that boards receive meaningful management information rather than purely technical reporting.
• Third-party and supply chain risk management, with particular scrutiny of concentration risk and the adequacy of contractual protections.
• Incident response planning, including whether firms have rehearsed their plans and whether escalation procedures are clearly understood.
• PRA operational resilience compliance, particularly the quality and realism of scenario testing and impact tolerance setting.
• Penetration testing programmes and the tracking of findings to remediation.

Common gaps identified during examinations include insufficient board engagement with cyber risk, third-party assessments that remain superficial beyond the onboarding stage, and incident reporting processes that exist on paper but have not been tested under realistic conditions.

Regulatory examinations for cybersecurity will increasingly assess a firm's alignment with emerging frameworks such as DORA, even where direct applicability is limited. Firms that demonstrate proactive alignment, rather than waiting for formal domestic transposition, signal a maturity of approach that regulators respond to positively.

Cybersecurity for financial services demands more than technical controls. It requires a clear, confident understanding of regulatory expectations and how your organisation measures up. Solace Cyber works with UK banks, insurers, and asset managers to navigate FCA, PRA, and DORA obligations, identify gaps before regulators do, and build the evidence base that demonstrates genuine resilience.

From penetration testing and security assessments to ransomware recovery, and incident response planning and regulatory examinations for cybersecurity preparedness, Solace Cyber provides the specialist support financial services teams need to stay compliant, stay secure, and stay ahead.

Get in touch with Solace Cyber to discuss how we can support your organisation's regulatory compliance and cybersecurity resilience.

[1] GOV.UK, “According to independent research commissioned by the UK government and published in November 2025, cyberattacks cost financial services firms an average of £309,000 per incident, among the highest of any UK sector”: https://www.gov.uk/government/publications/independent-research-on-the-economic-impact-of-cyber-attacks-on-the-uk/summary-of-research-on-the-economic-impact-of-cyber-attacks

[2] Orange Cyberdefence, “Research published by Orange Cyberdefense in February 2025, drawing on a survey of 200 UK CISOs, found that 58% of large UK financial services firms suffered at least one third-party supply chain attack in 2024, with 23% targeted three or more times”: https://www.orangecyberdefense.com/uk/insights/over-half-of-uk-financial-services-institutions-have-suffered-at-least-one-third-party-supply-chain-attack-in-2024