Financial Conduct Authority Offers Advice On Preparing For Cyberattacks

July 25, 2024

What Cybersecurity Lessons Can Be Learned from the Snowflake Breach?

Financial regulators worldwide are prioritizing operational resilience as essential. The Financial Conduct Authority (FCA) published its first paper on the topic in 2019, according to an article by Cadwalader.

By the end of March 2025, FCA-regulated firms must confirm that they have conducted testing to ensure they meet impact tolerances for operational risks related to cyberattacks.

The article stressed the importance of identifying critical business services, setting impact tolerances, and conducting scenario testing to prepare for potential operational failures.

In anticipation of its 2025 deadline, the Financial Conduct Authority published an updated guide providing further insights and expectations for firms to meet:

  • Regularly assess and justify the importance of business services
  • Establish clear boundaries for acceptable disruption levels
  • Document and manage third-party relationships required for a firm to deliver each of its important business services
  • Conduct rigorous testing to handle severe disruptions
  • Perform mapping and scenario testing that identifies and addresses weak points
  • Develop, test, and refine disruption response plans
  • Ensure comprehensive board-approved assessments
  • Embed resilience into corporate culture and risk management
  • Continuously monitor and update resilience strategies against emerging risks

The FCA highlights several poor practices, which Cadwalader refers to as “a what-not-to-do guide.”

One example is that impact tolerances often lack sufficient rationale for the firm’s board to understand the parameters set and the reasons behind them. Additionally, impact tolerances frequently reference downtime. Companies should consider other metrics, such as transaction values, the criticality of those transactions, and estimated losses.

Sign up for our weekly newsletters specifically curated to different practice areas: litigation, cybersecurity & data privacy, legal ops, and compliance.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top