What are the FCA's cybersecurity requirements under PS21/3?

Under PS21/3, FCA-regulated firms must identify their important business services, set impact tolerances, and demonstrate they can remain within those tolerances during severe but plausible disruption — including cyber incidents. Firms must also be able to notify the FCA within 72 hours of a material operational incident. AMVIA helps firms document resilience frameworks and implement the technical controls required.

Does DORA apply to UK financial services firms?

The Digital Operational Resilience Act (DORA) applies to financial entities operating in the EU and their ICT third-party service providers, including UK firms with EU operations or EU clients. UK-only firms fall under FCA PS21/3 and PRA requirements, but DORA's controls — including ICT risk management, incident reporting, and third-party oversight — are highly aligned with UK expectations.

What is Cyber Essentials Plus and why do financial services firms need it?

Cyber Essentials Plus is the independently-assessed tier of Cyber Essentials certification. It involves a technical audit of your security controls against the CE framework. For financial services firms, CE+ demonstrates to the FCA, institutional counterparties, and PI insurers that your baseline controls have been independently verified — reducing both regulatory and commercial risk.

How should FCA-regulated firms handle a cybersecurity incident?

FCA-regulated firms must assess whether an incident constitutes a material operational incident under PS21/3, and if so, notify the FCA within 72 hours. Internally, firms should have a documented incident response plan that identifies who leads the response, how systems are isolated, how data is preserved, and how stakeholders are communicated with. AMVIA provides both the technical response and the documentation needed for regulatory reporting.

What does a penetration test need to cover for FCA compliance?

The FCA expects regulated firms to test their technical controls through regular penetration testing, ideally by CREST-accredited providers. Tests should cover internal and external attack surfaces, including cloud services, remote access infrastructure, and any client-facing portals. Findings should be tracked to remediation, with evidence retained for regulatory review. Annual testing is the minimum expectation.

Financial Services Cybersecurity

Cybersecurity for UK Financial Services Firms

FCA-regulated firms face increasing scrutiny over IT security controls. AMVIA delivers managed cybersecurity aligned to FCA PS21/3 operational resilience requirements, DORA, and the practical needs of IFAs, wealth managers, and financial advisory businesses.

View Case Study

Cyber Essentials Plus

ISO 27001

FCA Aligned

Cybersecurity Risk in UK Financial Services

74%of UK financial firms targeted in 2024

Financial services firms remain among the highest-value targets for cybercriminals, given access to client funds and commercially sensitive data.

72hFCA material incident reporting deadline

Regulated firms must report material operational incidents to the FCA within 72 hours of identification under PS21/3.

£45MRecord FCA fine for cyber security failures

The FCA's largest cybersecurity-related enforcement action highlights the regulatory stakes for FS firms of all sizes.

FCA Operational Resilience & Cybersecurity Obligations

Under PS21/3 and the FCA's Operational Resilience policy, regulated firms must identify important business services, set impact tolerances, and demonstrate they can remain within tolerance during severe but plausible disruption. The FCA's SYSC 13 rules require firms to manage operational risk — including IT and cybersecurity risk — as part of their systems and controls. DORA (the Digital Operational Resilience Act) extends these requirements further for financial entities. AMVIA works with FCA-regulated firms to implement the technical controls required to meet these obligations, including managed SOC services, incident response planning, and compliance reporting.

Cybersecurity Services for Financial Firms

Managed cybersecurity designed for the regulatory environment and data sensitivity of UK financial services.

24/7 Security Operations Centre

Continuous threat monitoring with financial services-specific SIEM playbooks. FCA-ready incident documentation generated automatically for material incidents.

Privileged Access Management

Just-in-time privileged access with full audit trails across trading systems, client portals, and cloud infrastructure — supporting SYSC 13 audit logging requirements.

Data Loss Prevention

Microsoft Purview DLP policies prevent unauthorised exfiltration of client data via email, USB, or cloud storage, with automated policy enforcement.

Immutable Audit Logging

Tamper-proof log retention meeting FCA SYSC requirements. Long-term email and file activity archives accessible for regulatory investigations.

Incident Response & FCA Notification

Documented and tested incident response procedures with FCA notification decision trees. AMVIA manages the technical response while you manage stakeholder communications.

Compliance Reporting Dashboard

Monthly compliance dashboards covering patch status, MFA adoption, backup success rates, and security posture — ready for board and regulatory reporting.

FCA Cybersecurity Compliance Checklist

Key technical controls expected under FCA SYSC 13, PS21/3, and the FCA's cyber security guidance for smaller regulated firms.

Business continuity plan tested annually

Including IT disaster recovery — failover scenarios tested, not just documented. RTO and RPO defined for critical systems.

Material IT incidents reported within 72 hours

Documented notification procedure for FCA reporting — who makes the decision, what constitutes a material incident, and how it is reported.

Third-party IT supplier risk assessed

All IT and cloud vendors assessed under TPCRM — due diligence completed, contractual controls in place, and annual review scheduled.

Staff cyber awareness training current

Annual training and phishing simulations for all staff with access to client data or financial systems.

Penetration test completed within 12 months

By a CREST-accredited provider, covering internal and external attack surfaces. Findings tracked to remediation.

Cyber Essentials Plus certification held

Or equivalent higher-assurance certification — increasingly expected by institutional counterparties and professional indemnity insurers.

Frequently Asked Questions

Book a Financial Services Cybersecurity Review

AMVIA's FS-specialist engineers will review your IT controls against FCA SYSC and PS21/3 requirements — and provide a clear gap analysis and remediation roadmap.

Related Resources

Pillar Guide

The Complete UK Cybersecurity Guide

Foundational cybersecurity controls applicable across all UK businesses, with financial services regulatory context throughout.

Certification

Cyber Essentials Certification

How Cyber Essentials Plus meets FCA expectations and supports operational resilience compliance.

Comparison

Cyber Essentials vs Cyber Essentials Plus

Which certification level does the FCA expect, and what does each cover?

Comparison

MDR vs EDR for Financial Services

Comparing detection and response options for FCA-regulated firms requiring 24/7 monitoring.

FAQ

How Much Does Managed Cybersecurity Cost?

Transparent cost guidance for financial services firms considering managed SOC services.