Cybersecurity Isn’t Just an IT Issue but a Regulatory One, Too

When it comes to cybersecurity, we usually think of it as primarily an IT issue. However, there’s a lot more to think about than the impact on your computer.

Cybersecurity is a regulatory issue too. That’s why the Financial Conduct Authority (FCA), the UK’s financial services regulator, has been vocal about the risk of cyber-attacks. They support efforts made by firms to become more resilient against such attacks on their data.

The FCA and cybersecurity

In fact, the FCA view promoting robust cybersecurity protection as something that helps them to meet their consumer protection and market integrity objectives. Their recommendations include encryption, keeping systems updated and educating staff on cybersecurity matters.

It isn’t really surprising that the FCA makes cybersecurity a priority, given the nature and amount of data held by the financial services sector.


When it comes to regulations, cyber-resilience has become embedded in the general concept of operational resilience, which covers different types of operational disruption. Operational resilience is a broad term for the ability of firms to prevent, respond and adapt to, recover and learn from operational disruptions such as cyber-attacks. So, cybersecurity plays a key role in the protection of operations.

The FCA Handbook

The FCA has a list of Principles for businesses and sets of rules. The Principles cover rules firms must abide by, such as the first two rules, which say they must conduct their business with integrity, due skill, care and diligence.

There are different sets of rules, but those which are perhaps most relevant to cybersecurity are the overall Principles, SYSC and SUP. Both the SYSC and SUP, as well as other sets of rules and principles, are located in the FCA’s Handbook.

SYSC stands for Senior Management Arrangements, Systems and Controls Sourcebook. Its overall purpose is to encourage businesses to take ownership of their plans in relation to all matters that concern the FCA, which would include cybersecurity.

SUP is the FCA’s supervision manual, which outlines the day-to-day relationship between themselves and firms, amongst other parties.

Under the FCA’s rules, you will need to report cyber-attacks that affect your business as soon as you are made aware of them. This relates to Principle 11 and certain parts of SUP 15.3.

Principle 11, outlined in PRIN 2.1 of the Handbook, defines the relationship between firms and the FCA. The principle states that businesses must communicate with their regulators in an ‘open and cooperative’ manner and ‘must disclose to the FCA’ anything of which a ‘regulator would reasonably expect notice’. SUP 15.3 gives further guidance and rules on what constitutes a business matter that the FCA would expect notice of.

When to report a cybersecurity incident to the FCA

An incident may be material enough to warrant disclosure if it leads to a significant loss of data or unauthorised access of IT systems, amongst other measures. So, cyber-attacks would be very likely to warrant reporting to the FCA.

Some important parts of the SYSC in relation to cybersecurity include Article 23 and section 7, which outline businesses’ responsibilities in relation to establishing sufficient risk management policies and risk control measures. Article 21.2 also states that firms must have adequate processes in place to ‘safeguard the security, integrity and confidentiality of information’. This would include protecting vulnerable data from cyber-attacks.


If you’re concerned about the cybersecurity of your firm, then give us a call. We’ll assess your current situation and consult with you, to help determine where you need to be and identify the best options for your business.