Information on monthly cyber incidents for fund administration firms - August 2022

Can you tell me the number of monthly cyber incidents against fund administration firms, dating from April 2019 to the latest available date?

On 7 July 2022 you clarified that you were mainly seeking information in respect of

(a) firms ‘that provide administration services to fund management companies’, and

(b) firms ‘that either administer funds or provide administration services.

By way of background, it may be helpful to know that individual firms have an obligation to report material operational incidents to the FCA as defined under SUP 15.3 and Principle 11.  This includes incidents that are a result of cyber-attacks.  Please note that the figures presented below do not include operational incidents at FCA regulated firms that have not been reported directly to the FCA.

All data is accurate as at 11 July 2022 and is subject to change due to ongoing investigations of incidents.

In respect of part (a), for the period April 2019 until 30 June 2022, the FCA has received reports of six cyber incidents from regulated Custody Services firms, as set out below.  Our “Custody Services” designation includes firms that provide fund administration services not limited to custody of assets.

In respect of part (b), the figures above represent those firms that provide one or more regulated administration activity to fund managers.  As not all of the activities which constitute fund administration require specific permissions, we do not differentiate firms who have or have not outsourced their fund administration activities