Operational disruptions can prevent consumers accessing essential financial services, disrupt markets and threaten confidence in the sector. Firms continue to face a high – and growing – level of cyber threats and operational resilience risks, against a complex geopolitical backdrop.
Firms should be investing in their resilience because of the increasing scale and complexity of both current and future threats. They must be able to prevent and respond to disruptions.
Operational disruptions are inevitable. Our aim is to reduce their impact on consumers and markets. To do this, we want to make sure that firms’ important business services are resilient to operational disruption.
Access
Access icon
Outcome 1: Firms’ important business services are resilient to operational disruption
|
Metric code |
Metric description |
Source |
Baseline Value |
Year 1 values |
Year 2 values |
Latest status (year 2 value compared to baseline) |
|---|---|---|---|---|---|---|
|
IOD1-M01 |
Maintain a low impact (scale, severity, time to resolve) of operational disruptions to firms’ important business services, as measured by FCA Technology, Resilience & Cyber function |
FCA data |
Average impact of incidents 1.29 out of 6 (Low Impact) (2023) |
|
Not Assessed |
|
|
Average impact of consumer firm incidents 1.2 out of 6 (Low Impact) |
|
|
Not Assessed |
|||
|
Average impact of wholesale markets firms – 1.36 out of 6 (Low Impact) (2023) |
|
|
Not Assessed |
|||
|
IOD1-M02 |
Maintain awareness of the FCA's work to ensure firms are operationally resilient Increase the proportion of firms who, over the past 12 months, say operational resilience has become more of a priority
|
88% of firms are aware of the FCA's work to ensure firms are operationally resilient (2022/23) |
|
91% of firms are aware of our work to ensure firms are operationally resilient (2023/24)
Difference between year 2 and baseline value is statistically significant. |
Improved |
|
|
57% of firms say operational resilience has become more of a priority over the past 12 months (2022/23) |
|
61% of firms say operational resilience has become more of a priority over the past 12 months (2023/24)
Difference between year 2 and baseline value is statistically significant. |
Improved |
|||
|
CAC1-M01 and WAC1-M01 |
We also monitor the overall number of operational incidents through topline metrics CAC1-M01[2] and metric WAC1-M01[3] |
FCA Data |
599 incidents – Consumer firms (2021)
|
588 incidents – Consumer firms (2022)
|
736 incidents – consumer firms (2023)
|
Declined |
|
FCA Data |
194 incidents – Wholesale markets firms (2021) |
197 incidents - Wholesale markets firms (2022) |
282 incidents – wholesale markets firms (2023)
|
Declined |
What the latest metric values tell us
This year we are publishing our impact scores for operational incidents (IOD1-M01) for the first time. They show that the average impact of incidents reported to us in 2023 was 1.29 out of a possible score of 6.
We continue to monitor the overall number of operational incidents reported to us (metric CAC1-M01 and metric WAC1-M01). We’re strengthening our operational incident reporting regime to make it clearer to firms what they should report to us. This work will give us greater visibility of incidents we might previously have been unaware of and, in the short-term, may lead to an increase in disruptions reported to us. Over the medium term (year 3 and beyond), we then expect that reported incidents will reduce as firms improve their operational resilience.
CAC1-M01 and WAC1-M01 (see table above) show that in 2023 a higher number of operational disruptions were reported to us than in 2022. This number has increased from 785 (2022) to 1018 (2023). Taking these metrics together, this means that, while we have seen a significant increase in the number of incidents, their average impact has overall been low. In consumer firms, the average impact was 1.2 out of 6 and for wholesale firms it was 1.36 out of 6. Both scores reflect a low impact to consumers and markets, though the impact for wholesale firms is slightly higher.
We have seen a rise in incidents affecting wholesale firms (increased by 62) and consumer firms (increased by 158) compared to 2022. Our data does not currently point to a single cause for this. The U.K. National Cyber Security Centre (NCSC) has issued warnings in May 2023[4] and Feb 2024[5] that hostile state actors are increasingly focusing their cyber-attacks on critical infrastructure networks globally. We have also previously said that we expect an increase in incident numbers reported to us over time due to our work raising firms’ awareness of operational resilience. We will be monitoring this trend over the coming year and want to better understand if there are any other drivers behind this increase.
From 31 March 2025, specific firms[6], including banks, building societies and insurers, will be required to be able to remain within their impact tolerances. We expect that this will help to limit harm from incidents and will be engaging closely with these sectors as we count down to this deadline.
For metric IOD1-M02, the results of the Practitioner Panel survey[1] continue to be promising, and we are encouraged that more firms are aware of the FCA’s work to ensure the sector’s operational resilience than before. We will continue to engage the sector to build further on the 91% that are aware of our work to ensure firms are operationally resilient, particularly as we approach March 2025 when our new rules on Operational Resilience come into effect.
The survey also shows that operational resilience has become more of a priority for more firms (61%) than before. However, we think there is scope to improve in this space, and we want to see operational resilience higher on the agenda for firms.