UK Regulators Implement New Cyber Resilience Framework Amid Rising Third-Party Breaches

Severity: Medium (Score: 57.8)

Sources: Insurancebusinessmag, Sidley, www.bankofengland.co.uk

Summary

The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England have introduced new rules to enhance cyber resilience and incident reporting for regulated firms in the UK, effective March 18, 2027. The framework aims to address the increasing number of cyber incidents, particularly those involving third parties, which accounted for over 40% of reported incidents in 2025. The new rules require firms to maintain a register of third-party providers and ensure visibility across their supply chains. Incident reporting will have stricter deadlines, with dual-regulated firms needing to submit reports that are shared across regulators. The framework also includes two parallel regimes for incident and material third-party reporting, with varying obligations for different types of firms. The urgency for these measures is underscored by a significant rise in nationally significant cyber incidents, which more than doubled in 2025. The FCA's approach contrasts with the EU's Digital Operational Resilience Act, emphasizing outcomes rather than prescriptive controls. Firms are advised to begin preparations now due to the extensive changes required. Key Points: • New UK cyber resilience rules take effect on March 18, 2027. • Over 40% of cyber incidents in 2025 involved third-party breaches. • Firms must maintain a register of third-party providers for compliance.

Key Entities

• Ransomware (attack_type)
• Financial (industry)