Cybersecurity 2025

UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP

3.2 ICT Service Provider Contractual Requirements As noted in 3.1 Scope of Financial Sector Operation Resilience Regulation , CTPs are a key focus of UK financial services operational resilience. The CTP Policy Statement introduces new rules that will apply to a CTP designated under the regime. Under the applicable rules, CTPs will need to: • meet the minimum resilience standards in respect of any material services that they are providing to financial services firms; • comply with six “fundamental rules” that will apply to all the services a CTP provides, including having effective risk strategies and dealing with the FCA or PRA (as applicable) in a co-operative manner; and • comply with eight “operational risk and resilience requirements” that will apply to a CTP’s material services, such as the require - ment to appropriately manage incidents that may adversely affect (or may reasonably be expected to adversely affect) the delivery of a material service. The new regime for CTPs was created under the Financial Services and Markets Act 2023, which amended the Financial Services and Mar - kets Act 2000 (FSMA). The relevant provisions allow the UK Treasury to designate a person who provides services to regulated firms and finan - cial market infrastructures as “critical”. CTPs will typically be service providers that provide certain outsourced and third-party services to large numbers of financial institutions and whose services are very difficult to substitute. Although the concepts in FSMA are broadly analogous to DORA, the criteria for designation and the scope of regulatory powers differ in several important respects.

3.3 Key Operational Resilience Obligations

The FCA has demonstrated a strong focus on cybersecurity in the context of the financial ser - vices industry. This is particularly relevant in the context of: • Principle 3 (Management and Control) of the FCA Handbook’s Principles for Businesses, which states that “a firm must take reason - able care to organise and control its affairs responsibly and effectively, with adequate risk management systems”; and • Principle 11 (Relations with Regulators), which requires that “a firm must deal with its regulators in an open and co-operative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice”. In relation to Principle 11, the FCA has confirmed that regulated firms must report material cyber- incidents. The FCA considers that an incident may be material if it: • results in significant loss of data or the avail - ability or control of a firm’s IT systems; • affects a large number of customers; and • results in unauthorised access to, or mali - cious software present on, a firm’s informa - tion and communication systems. The FCA goes on to require that where such an incident is deemed to be material: • the FCA (and the PRA for dual-regulated firms) should be notified; • if the incident is criminal, Action Fraud (the UK’s national fraud and cybercrime reporting centre) should be contacted; and

327 CHAMBERS.COM

Powered by