Reference Case Number: FOI9781
Freedom of Information: Right to know request:
Information relating to operational incidents reported to the FCA.
FCA response:
1. How many operational incidents have been reported to the FCA by individual firms / financial market infrastructure under SUP 15.3 and Principle 11 in 2022 so far?
As at 17 November 2022, 401 individual reports relating to 335 unique incidents have so far been reported to the FCA by individual firms/financial market infrastructure in 2022.
2. Of (1), how many related to third party failures?
Of these 401 reports, 113 relate to third party failures.
3. Of (2), how many of these arose from a cyber-attack?
Of these 113 third party failures, 64 are noted as relating to cyber-attack.
4. Of (2), how many related to IT change?
Of these 113 third party failures, 7 relate to change.
5. Of (2), how many of these third parties were technology firms such as cloud service providers, information and communications technology ICT services etc?
We do not classify the nature of third-party firms affected on a routine basis. However, based on a manual review of the data for 2022 (as at 17 November), 21 third parties involved in the incidents reported in (2) could be categorised as cloud service providers, information and communications technology ICT services.
6. Of (2), how many of these third parties were located in the UK and how many of these third parties were located outside the UK?
We do not capture this information.
7. Of (2), how many of these failures impacted multiple firms and FMIs?
Of these 113, 14 were reported by multiple firms and FMIs.
8. Of (2), how many of these failures posed a risk to the FCA’s objectives, including financial stability, market integrity and/or consumer protection?
All 113, as per the definition of Principle 11/Sup 15, were considered by firms to be material incidents reportable to the FCA. We are unable to provide further information in relation to this question as we do not categorise on this basis.
9. Of (2), how many of these failures resulted in a data breach?
Of the 113, 26 are understood to have resulted in a data breach, based on the information provided in reports.
10. Of (2), how many resulted in the opening of an enforcement investigation against the regulated firm(s)?
None have, to date, resulted in the opening of an enforcement investigation.