The regulatory framework. Why cyber cover is no longer a discretionary purchase for advised firms. PRA and FCA expectations, SYSC obligations, and the cyber-event SUP 15.3.11R notifiable event.
A 15-adviser financial planning firm in the Midlands holds client data for around 2,400 individuals and discretionary management mandates for around £620m of assets. The firm is authorised by the FCA, holding permissions for advising on and arranging investments and for managing investments. It is not dual-regulated by the PRA (not deposit-taking) but is subject to FCA supervisory regimes including SYSC and the operational resilience framework.
A phishing campaign compromises a paraplanner’s mailbox. Over four weeks the attacker accumulates client data. The breach is discovered through anomalous email forwarding rules. The firm notifies the ICO. The firm asks: do we notify the FCA?
The answer, almost certainly, is yes. Why, when, and what does the firm tell the FCA — and what does the cyber policy do to help?
FCA SYSC 4.1. The Senior Management Arrangements, Systems and Controls module of the FCA Handbook imposes a general obligation on firms to maintain effective systems and controls, including for operational risk and information security. SYSC 4.1.1R requires a firm to have robust governance arrangements, including effective internal controls.
FCA Operational Resilience policy. PS21/3 and the parallel Bank of England / PRA policy on operational resilience came into effect on 31 March 2022 with a three-year transition. By March 2025 firms in scope must be able to demonstrate, and stay within, impact tolerances for their important business services. Cyber events are within scope. The policy applies to:
Smaller IFAs and wealth managers may not be in formal scope of the resilience policy but are subject to equivalent expectations under SYSC 4.1 and the FCA’s broader operational risk framework.
PRA Dear CEO letter, August 2022. The PRA letter to deposit-taking firms on cyber resilience (and the corresponding FCA messaging to investment firms) emphasised the importance of cyber risk assessment, threat-led testing, third-party risk management and incident reporting. The letter raised supervisory expectation; firms are evaluated against it during routine supervision.
SUP 15.3.11R notifiable events. A firm must notify the FCA as soon as possible of any matter which could have a significant adverse impact on the firm’s reputation, on consumer protection, or on the firm’s ability to provide adequate services. A material cyber incident meets this test. The FCA’s online incident reporting form is the normal route.
Article 33 UK GDPR. Separate from the FCA obligation, the 72-hour ICO notification applies to any personal data breach. The two notifications run in parallel.
SMCR. Senior Manager Function 24 (Chief Operations) or equivalent senior manager responsibility for operational resilience must be assigned. The individual is accountable for cyber preparedness as part of the prescribed responsibilities.
Consumer Duty. The Consumer Duty (PRIN 2A) requires firms to deliver good outcomes for retail customers. A material breach affecting consumer protection engages the duty.
The FCA’s published supervisory expectations, drawn from PS21/3, multiple Dear CEO letters, and supervisory communications, can be summarised as:
The firm has identified its important business services and the supporting third-party dependencies.
The firm has mapped the systems, people, processes and third parties supporting each service.
The firm has set impact tolerances for each important business service — the maximum tolerable level of disruption.
The firm has tested its ability to remain within tolerance under plausible scenarios including cyber events.
The firm has reported governance of operational resilience to the board annually.
The firm has notified the FCA of material incidents under SUP 15.3.11R.
For smaller IFAs and wealth managers not formally in PS21/3 scope, the FCA’s expectation is that proportionate equivalents are in place under SYSC 4.1.
Cyber insurance has both a response role (paying for incident response, defence, indemnity) and an evidential role (demonstrating that the firm has accessed the necessary external expertise).
The cyber policy supports operational resilience by:
Providing access to a panel forensic team, legal team and PR team within hours, without the firm needing to negotiate emergency engagements.
Providing financial cover for the cost of compliance with notification obligations.
Providing defence for the FCA’s, ICO’s and PRA’s enquiries (where applicable).
Providing third-party liability cover for civil claims by data subjects and clients.
Providing some business interruption cover where the firm’s ability to deliver service is impaired.
What cyber insurance does not do:
It does not satisfy SYSC 4.1 in itself. SYSC requires systems and controls; insurance is a financial backstop, not a control.
It does not extinguish FCA supervisory enquiry. The FCA will engage with the firm directly; the insurer is a supplier.
It does not eliminate the SMF accountability. The senior manager remains accountable irrespective of insurance.
IFAs and wealth managers carry PI cover, often via specific market schemes for the advised sector. The cover typically responds to:
Civil claims by clients arising from unsuitable advice, misselling, and breach of the firm’s duty as adviser.
Claims by the FCA’s Financial Services Compensation Scheme (FSCS) where the firm has failed and the FSCS has met retail client claims and seeks recoupment.
Defence of FCA investigations and enforcement proceedings.
Where a cyber event causes (or contributes to) a misselling or other client loss, both cyber and PI may be engaged. The familiar overlap.
The Consumer Duty requires firms to deliver good outcomes. A cyber incident affecting consumer protection — for example, exposure of client investment data that enables identity fraud — can be a Consumer Duty failure independent of any specific FCA rule breach. The firm’s response must include consideration of how the incident affected consumer outcomes and what is being done to remediate.
The cyber policy may pay for the cost of remediation activities (credit monitoring, identity protection, client outreach). The PI policy may pay for individual client claims for loss. The Consumer Duty itself is not an insurable liability — it is a regulatory standard whose breach attracts enforcement, not damages — but the consequences of the breach may be.
The trigger for SUP 15.3.11R is that the matter could have a significant adverse impact on the firm’s reputation, on consumer protection, or on the firm’s ability to provide adequate services. A material cyber incident plainly may.
The FCA’s incident reporting form asks for:
Brief description of the incident. Time of discovery. Number of clients potentially affected. Whether client funds are at risk. Whether the firm’s ability to operate is impaired. Steps taken in response. Contact details for the firm’s incident lead.
The reporting should be made as soon as possible. The cyber policy’s panel legal firm can usually assist with drafting; the cost is indemnified.
The Midlands IFA in our scenario, with 2,400 affected clients:
| Action | Quantum | Policy |
|---|---|---|
| Forensic investigation | £80,000 | Cyber |
| Legal coordination — ICO and FCA notifications | £45,000 | Cyber |
| Notification to 2,400 clients | £18,000 | Cyber |
| Credit monitoring (£15 × 2,400 × 2 years) | £72,000 | Cyber (subject to sub-limit) |
| ICO investigation defence (estimated) | £130,000 | Cyber |
| FCA Skilled Persons report (s.166 if required) | £180,000 | Cyber regulatory cover (subject to sub-limit) |
| Possible civil claims (small portion of clients) | £80,000–£200,000 | Cyber/PI |
| PI premium uplift next year | £24,000 | n/a |
| Cyber premium uplift next year | £35,000 | n/a |
| Lost productivity during response | £85,000 | Uninsured |
| Total incident cost (acute) | ~£700k | mostly cyber |
The firm’s net out-of-pocket on the acute incident is approximately £150k (excesses, premium uplifts, lost productivity). The cyber policy bore the bulk of the response.
Client money and Client Asset Sourcebook (CASS). If the cyber incident affects client money or assets, CASS becomes engaged. CASS breaches attract significant FCA enforcement attention. The cyber policy’s CASS-specific expertise should be available through the panel.
Pension transfer advice and DB-DC transfer files. Firms holding sensitive pension transfer files (now scrutinised by the FCA for historic suitability) are at heightened reputational and regulatory risk if those files are exposed.
The FCA’s S.166 power. The FCA can require an independent skilled persons report on a firm under section 166 FSMA. Cyber and operational matters are increasingly triggers for s.166 reviews. The cost of the skilled persons report falls on the firm but is often indemnifiable under cyber’s regulatory cost head.
Permissions and authorisation. In extreme cases the FCA may vary or remove permissions. This is rare but possible for cyber failures contributing to consumer harm.
For IFAs and wealth managers:
Verify the cyber policy covers FCA regulatory defence cost, not only ICO defence. Some standard cyber wordings are focused on ICO; FCA cover may be a separately negotiated extension.
Verify cover for skilled persons reports under s.166. This can be six-figure cost.
Match cyber policy retroactive date to your earliest material data holding date.
Maintain the cyber controls expected by the operational resilience framework — MFA, EDR, backup testing, third-party risk management.
Document your important business services and your impact tolerances. The framework is now standard for proportionate-scale firms.
Consider whether your firm’s SMF24 holder is clearly identified for cyber accountability. The board needs to be able to demonstrate the responsibility allocation.
For larger firms, consider a separate D&O policy for senior manager exposure.
Train all client-facing staff in cyber hygiene. Phishing remains the dominant attack vector.
Q1. Is cyber insurance mandatory for FCA-regulated firms? Not formally. SYSC 4.1 requires effective systems and controls; insurance is one part of the response, not a rule-based requirement. In practice the FCA’s supervisory expectation is that firms have appropriate cover.
Q2. Does the FCA see the cyber policy at supervision? Often. As part of operational resilience reviews the FCA may ask about insurance coverage. The insurance is not evaluated for its policy terms but for the firm’s overall preparedness.
Q3. What’s the difference between SUP 15.3.11R and Article 33? SUP 15.3.11R is the FCA notification; Article 33 is the ICO notification. They are separate. Both run in parallel from awareness.
Q4. Will my cyber insurer give me a discount for operational resilience compliance? Increasingly insurers price favourably for firms that can demonstrate the framework. Bring the documentation to the underwriting submission.
Q5. Does PI cover replace the need for cyber for an IFA? No. PI responds to civil claims by clients arising from advice failures. Cyber responds to incident response, regulatory defence and (often) client data civil claims. The two are complementary.
Q6. What about Appointed Representatives? The principal firm is responsible under SYSC for the conduct and arrangements of its ARs. The principal’s cyber policy should expressly cover ARs. Check the wording.
Q7. What’s the FCA’s expectation on incident timeline? As soon as possible under SUP 15.3.11R. For cyber-related incidents the practical expectation is within 24-72 hours of awareness, sometimes faster for incidents affecting consumer protection.
Q8. Where do I read more on operational resilience? FCA Policy Statement PS21/3 and the Bank of England’s parallel policy are the primary materials. The PRA Dear CEO letter of August 2022 sets out current supervisory expectations.
FCA Handbook, SYSC 4.1. FCA Handbook, SUP 15.3.11R. FCA Handbook, PRIN 2A (Consumer Duty). FCA Policy Statement PS21/3 (Operational Resilience). Bank of England / PRA Operational Resilience policy (March 2021). PRA Dear CEO letter on cyber resilience, August 2022. FCA Senior Managers and Certification Regime materials. Financial Services and Markets Act 2000, section 166. UK GDPR Articles 33, 34.
Hub: Cyber vs PI — where cover ends and begins Spoke 5: Data Protection Act 2018 / UK GDPR civil claims Spoke 6: The notification clock problem Spoke 10: Broker due diligence at PI renewal
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote