Cybersecurity for Financial Services: UK Compliance Guide

The regulatory landscape for financial services cybersecurity

Financial services firms in the UK operate under one of the most demanding cybersecurity regulatory environments of any sector. The FCA's Operational Resilience Policy Statement (PS21/3) requires firms to identify their important business services, map the dependencies that support them, and demonstrate they can remain within impact tolerances — the maximum disruption acceptable before customer harm occurs — by March 2025. Cybersecurity is central to meeting this requirement.

The Digital Operational Resilience Act (DORA), which applies to UK firms operating within or serving EU markets, took effect in January 2025. DORA imposes specific requirements around ICT risk management, incident classification and reporting, third-party ICT risk, and digital operational resilience testing including threat-led penetration testing (TLPT) for significant institutions.

FCA cybersecurity expectations

The FCA has been clear in its supervisory communications that it expects firms to demonstrate a proportionate but genuine approach to cyber risk. Key areas of FCA focus include:

• Governance: Boards and senior management should be able to articulate the firm's cyber risk appetite, understand the controls in place, and demonstrate active oversight rather than delegating responsibility entirely to IT
• Third-party risk: Firms must manage cyber risk within their supply chain. An attack on a critical outsourced service provider can breach your operational resilience obligations even if your own systems are unaffected
• Incident response: The FCA expects firms to have tested incident response plans and to notify the regulator of material operational incidents within the specified timescales
• Access controls: Privileged access management, multi-factor authentication and regular access reviews are considered baseline requirements

Common threat vectors in financial services

Phishing and spear phishing

Targeted phishing campaigns aimed at finance teams and client-facing staff remain the most common initial access vector. Criminals research companies on LinkedIn and Companies House to craft convincing impersonation emails. Business email compromise attacks — where criminals impersonate the CEO or a supplier to authorise fraudulent payments — cost UK financial firms tens of millions each year.

Third-party and supply chain attacks

Many UK financial firms use managed service providers, cloud platforms, and specialist fintech integrations. A compromise of any one of these can expose client data or disrupt operations. The FCA's PS21/3 and DORA both require firms to conduct due diligence on critical ICT third-party providers and contractually enforce security standards.

Ransomware

Ransomware attacks against financial services firms have increased, with smaller regulated businesses — those outside the perimeter of the very largest banks — increasingly targeted. The combination of sensitive client data, regulatory pressure and the need for near-continuous availability makes the sector an attractive target.

Technical controls the FCA expects

Whilst the FCA is not prescriptive about specific technologies, supervisory guidance and industry frameworks point to the following as baseline requirements for regulated financial services firms:

• Multi-factor authentication on all systems, particularly email, VPN and cloud platforms
• Endpoint detection and response (EDR) rather than legacy antivirus alone
• Patch management with documented timescales for critical vulnerability remediation
• Network segmentation to limit lateral movement in the event of a breach
• Encrypted data at rest and in transit, particularly for client data subject to UK GDPR
• Privileged access management and regular access reviews against the principle of least privilege
• Security monitoring and logging with sufficient retention to support incident investigation

Cyber Essentials and ISO 27001 for financial firms

Cyber Essentials certification — the UK government-backed scheme — provides a recognised baseline and is increasingly requested by financial services firms when onboarding suppliers. It covers five technical controls: firewalls, secure configuration, user access control, malware protection and patch management. Cyber Essentials Plus adds independent verification through hands-on technical testing.

ISO 27001, the international standard for information security management systems, is increasingly expected of firms managing significant volumes of client financial data. It requires a systematic approach to risk assessment, documented controls, and ongoing audit — providing the governance framework the FCA expects to see in practice.

Cyber insurance for financial services

Cyber insurance is now essentially standard for FCA-regulated businesses. Insurers are increasingly requiring firms to demonstrate a minimum security posture — typically Cyber Essentials, MFA on email, and tested incident response plans — before offering cover. Firms that cannot demonstrate these controls face either declined applications or substantially higher premiums.

AMVIA supports financial services firms with managed cybersecurity programmes designed to meet FCA, DORA and UK GDPR requirements — from initial gap assessment through to ongoing monitoring and compliance reporting.

Building a proportionate security programme

Proportionality is a recurring word in FCA guidance — what is expected of a 10-person IFA is different from a 500-person asset manager. However, the underlying principle is the same: firms should understand their specific risks, implement controls appropriate to those risks, and be able to demonstrate this to a regulator or auditor. A managed security partner with financial services experience can significantly accelerate this process.