What does FCA operational resilience require from a firm's IT infrastructure?

FCA operational resilience rules (PS21/3) require firms to identify their important business services, set impact tolerances for disruption to those services, and demonstrate the ability to remain within those tolerances during severe but plausible scenarios. Underpinning that is an IT infrastructure capable of rapid recovery, tested regularly against realistic failure scenarios, with documented evidence of the testing.

How do I evidence cyber due diligence to the FCA?

Evidence typically includes: a current cyber risk assessment, documented controls aligned to a recognised framework (NCSC Cyber Essentials or ISO 27001 being most common), records of patch management and vulnerability scanning, penetration test reports, staff training records, and a tested incident response plan. The FCA expects this to be reviewed by the relevant SMF holder under SMCR.

What is an Important Business Service under FCA operational resilience rules?

An Important Business Service is any service your firm provides to external clients that, if disrupted, could cause harm to those clients or risk to market integrity. Identifying these services is the first step in FCA operational resilience compliance. For most investment firms and advisory businesses, this includes order execution, client reporting, custody services and financial advice delivery.

How does SMCR affect IT governance responsibilities?

Under SMCR, a named Senior Manager Function holder must take personal responsibility for the firm's operational resilience and IT governance. This means the relevant SMF holder is personally accountable for ensuring adequate controls are in place, documented and reviewed — and can be held individually responsible if a failure results from inadequate governance.

How quickly must an FCA-regulated firm recover from an IT outage?

The FCA does not prescribe a single recovery time, but firms must set their own impact tolerances — the maximum tolerable level of disruption to each important business service — and demonstrate they can consistently meet them. For most retail-facing services, regulators expect recovery to be measured in hours, not days.

What cyber controls does the FCA expect for client data protection?

The FCA expects firms to apply controls proportionate to the sensitivity of the data held. For client financial data, this includes encryption at rest and in transit, access controls limited to those with a business need, regular access reviews, MFA on all external-facing systems, and monitoring for unusual access patterns. These obligations run alongside, and in some cases exceed, baseline UK GDPR requirements.

Does our firm need penetration testing to satisfy FCA requirements?

The FCA does not mandate penetration testing by name, but supervisory expectations and operational resilience guidance make clear that firms should test their infrastructure against realistic threat scenarios. For most firms, an annual penetration test is the most practical way to demonstrate that controls are effective, not just documented.

What is the FCA's position on third-party IT suppliers?

The FCA holds firms responsible for the operational resilience of services delivered by third-party suppliers, including cloud providers and managed IT services. Firms must conduct due diligence before engagement, include appropriate contractual provisions, monitor supplier performance, and maintain the ability to exit and migrate without unacceptable disruption — this is a core element of the FCA's outsourcing rules.

Financial Sector ◆ FCA · SM&CR · CASS

You are in the
right place.

UK financial firms are operating under a tightening framework of regulatory, data protection, and insurance obligations — each of which now carries a direct technology requirement. Understanding what applies to you, and what it means in practice, is the first step.

Talk to Us Understand the Detail

What We Address

SM&CR Personal Liability

The Senior Managers and Certification Regime makes IT governance a named individual responsibility. An operational failure caused by inadequate systems is not an IT problem — it is a conduct problem, and the FCA will pursue it as one.

Operational Resilience

FCA PS21/3 requires firms to identify important business services, set impact tolerances, and prove they can remain within them during a disruption. That proof depends critically on your infrastructure — its redundancy, its recovery, and its documentation.

CASS-Ready Infrastructure

Regulatory integrity starts with your infrastructure. To meet CASS demands for recoverability, your core systems must be robust. We manage the underlying environment that supports your operations, reducing your exposure to the technical failures that can trigger FCA enforcement.

Talk to Us Understand the Detail

For the Detail-Focused

Understand the Compliance Landscape

Financial Sector Obligations

The regulations that carry direct technology obligations. Select any panel to understand what it means for your infrastructure — in plain English.

High Risk

FCA / PRA — SM&CR Senior Managers & Certification Regime Named Senior Managers carry personal liability for IT governance failures.

→

High Risk

FCA PS21/3 Operational Resilience — Impact Tolerances Firms must prove they can deliver services within defined disruption tolerances.

→

High Risk

FCA CASS Rules Client Asset Sourcebook — Segregation & Recovery System failure disrupting client asset records creates immediate enforcement exposure.

→

Medium Risk

NCSC / Government Scheme Cyber Essentials — April 2026 Changes Self-declaration replaced by evidenced controls from April 2026.

→

High Risk

Data Protection Act 2018 / UK GDPR ICO Obligations & 72-Hour Notification A breach triggers both ICO and FCA notification — two regulators, one incident.

→

High Risk

Cyber Insurance Technical Warranties & Claim Validity Four controls must be evidenced at time of incident or claim can be refused.

→

Could your infrastructure
withstand FCA scrutiny?

We come to you. A structured review of your systems against FCA operational resilience requirements, SM&CR obligations, and insurance warranties — producing a written report with a clear remediation plan.

Request a Firm Infrastructure Audit

No commitment required ◆ We respond within one business day

You are in the
right place.

SM&CR Personal Liability

Operational Resilience

CASS-Ready Infrastructure

Understand the Compliance Landscape

2025 UK Cyber Attack Review

Cyber Insurance Integrity Audit

True Cost of Downtime Calculator

Could your infrastructure
withstand FCA scrutiny?

You are in theright place.

SM&CR Personal Liability

Operational Resilience

CASS-Ready Infrastructure

Understand the Compliance Landscape

2025 UK Cyber Attack Review

Cyber Insurance Integrity Audit

True Cost of Downtime Calculator

Could your infrastructurewithstand FCA scrutiny?

You are in the
right place.

Could your infrastructure
withstand FCA scrutiny?