UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
• where the incident is also a personal data breach, organisations may need to report the incident to the ICO. The FCA also recommends that firms refer to the NCSC guidance on reporting incidents and reports should be shared on the Cyber Security Information Sharing Partnership (CiSP) platform. The CiSP is a key information-sharing organisa - tion in the UK. It is a joint industry and UK gov - ernment initiative managed by the NCSC. The CiSP allows members to voluntarily exchange cyber-risk information in a secure environment, such that there are reductions to the impact of cyber-risks for UK businesses in general. More generally, and as part of the FCA’s goal to assist firms in becoming more resilient to cyber- attacks, it recommends that firms of all sizes should develop a “security culture” and be able to identify and prioritise information assets and constantly evolve to meet new threats. In addition, certain categories of FCA-regulated firms have additional reporting requirements. By way of example, payment services providers are required to report major operational and security incidents pursuant to the PSRs. For CTPs, the rules established by CTP Policy Statement introduce a phased approach to noti - fications in relation to incidents affecting CTP services, such as those that impact the avail - ability, authenticity, integrity, or confidentiality of assets. This reporting will consist of: • an initial notification, without undue delay, to the relevant parties after the CTP is aware that the relevant incident has occurred; • one or more intermediate incident reports as needed; and • a final incident report.
Looking forward, the Operational Resilience Requirements will require financial services firms to comply with a number of obligations around operational resilience, including: • performing mapping and scenario testing (including for cyber-related disruptions); • investing to enable a firm to operate within its impact tolerances and respond effectively and recover quickly when disruption does occur; • documenting and maintaining operational resilience policies and procedures; • assigning clear roles and responsibilities within the firm; and • engaging with key stakeholders (eg, regula - tors, clients, suppliers, and CTPs). On 13 December 2024, the PRA and FCA pub - lished further consultation papers – respective - ly, “Operational resilience: Operational incident and outsourcing and third-party reporting” (PRA CP17/24) and “Operational Incident and Third- Party Reporting” (FCA CP24/28). These propose a framework for reporting operational incidents and notification and reporting of material third- party arrangements. Under the proposals, the PRA and FCA will expect firms to report inci - dents meeting certain thresholds. The consul - tation papers are open for comments until 13 March 2025. 3.4 Operational Resilience Enforcement The FCA and PRA have a broad legislative man - date and powers to enforce rules made under the CTP regime against designated CTPs. As this is a new regime, it remains to be seen how such powers will be exercised. 3.5 International Data Transfers This is not applicable in the UK.
328 CHAMBERS.COM
Powered by FlippingBook