New FCA cyber rules put third-party risk in the spotlight. Here’s what’s changed and what your business needs to do before 2027.
Something shifted in financial services last week and it’s bigger than the sector itself.
On 18 March 2026, the Financial Conduct Authority (FCA) introduced new rules around cyber incident and third-party reporting. Firms now have a 12-month window to prepare, with enforcement beginning on 18 March 2027.
This hasn’t come out of nowhere. For years, organisations have struggled with inconsistent reporting (what qualifies as an incident, when it should be reported, and who’s ultimately accountable). The FCA has taken that feedback on board, and the result is a far more streamlined, practical framework.
So, what’s actually changed?
Third-party risk is now front and centre
In 2025, over 40% of reported cyber incidents involved a third party. High-profile outages from providers like AWS and Cloudflare demonstrated just how quickly disruption can cascade across multiple organisations.
The FCA’s response? Firms must now maintain and submit an annual register of material third-party arrangements.
Supply chain visibility is no longer a “nice to have”. It’s a regulatory requirement.
What should you be doing now?
Whether you’re directly in financial services or part of the wider supply chain, there are some clear priorities:
Cyber risk has never respected organisational boundaries. What’s changed is that now you’re accountable for the entire chain.
The question is: can you confidently stand behind every link?
.svg)
.jpg)
.jpg)