FCA Operational Resilience and Cyber Security: What Every IFA Firm Must Know

Financial services firms regulated by the FCA face a more prescriptive cyber security regulatory environment than most other small business sectors. The operational resilience framework, the SM&CR accountability regime, GDPR obligations for financial personal data, and the FCA's own cyber security guidance create a set of requirements that are individually demanding and collectively comprehensive. Understanding how they fit together is the starting point for demonstrable compliance.

FCA Operational Resilience Rules

The FCA's operational resilience requirements (PS21/3, effective from March 2022) require all FCA-regulated firms to: identify their important business services, set impact tolerances for those services (the maximum tolerable level of disruption), map the people, processes, technology, facilities, and information that support those services, and demonstrate — through testing — that they can remain within their impact tolerances in a severe but plausible disruption scenario.

For an IFA or wealth manager, the important business services typically include: providing investment advice, executing portfolio transactions, managing client reporting and communication, and processing client onboarding and account administration. Each of these depends on specific technology — the back-office system, the investment platform portals, the client relationship management system, and email. Ransomware that takes any of these offline creates a disruption to an important business service that the firm must be able to manage within its stated impact tolerance.

The FCA's expectation is that firms have tested their ability to remain within impact tolerances in realistic scenarios. A tabletop exercise that asks "what would we do if our back-office system was unavailable for a week?" is the minimum. Firms that have not conducted this exercise, documented the outcome, and addressed any gaps identified are non-compliant with the operational resilience rules — regardless of their size.

SM&CR: Personal Accountability for Cyber Failures

The Senior Managers and Certification Regime (SM&CR) creates personal accountability for senior managers at FCA-regulated firms. Under SM&CR, the responsibility for operational resilience — including cyber security — falls on a named senior manager who is personally accountable to the FCA for how the firm manages this risk.

In an IFA firm, this is typically the sole trader, the managing director, or the compliance officer depending on how responsibilities are allocated. The practical implication is that a cyber security failure — particularly one that results in client harm or FCA investigation — can have personal regulatory consequences for the named responsible individual, not just institutional ones for the firm. This is a significant motivator for senior management engagement with cyber security that purely institutional consequences do not provide.

UK GDPR: Financial Personal Data

Financial personal data — client income, assets, investment portfolios, pension values, tax position, and estate planning details — is not Special Category data under Article 9, but it is personal data of high sensitivity under Article 5's proportionality principle. The ICO has explicitly stated that financial personal data requires robust security measures proportionate to its sensitivity and the risk of harm to individuals if it is breached.

The harm from a breach of an IFA client's financial profile is direct and quantifiable: the data can be used for identity fraud, investment account fraud, targeted phishing, and — in the case of elderly or vulnerable clients — financial exploitation. The ICO's accountability requirement means that the firm must be able to demonstrate the security measures it has taken — not just assert that it takes security seriously.

The FOS and Client Harm

The Financial Ombudsman Service can determine complaints against FCA-regulated firms. Complaints arising from cyber incidents — client funds redirected through a compromised firm email account, client data disclosed through a breach, fraudulent advice impersonating a firm's adviser — can result in FOS determinations requiring the firm to compensate the client. The FOS's track record in financial services cyber cases demonstrates that firms that did not have appropriate security controls in place will be held responsible for the client harm that resulted.

The business risk of an FOS determination is not just financial — though a determination requiring compensation to multiple affected clients can be material for a small firm. It is reputational: FOS determinations are published, and a finding that a firm failed to protect client data creates a public record that adversely affects client acquisition and retention.

What Demonstrable Compliance Looks Like for FCA Firms

Across all of the frameworks above, the evidence that matters to the FCA, the FOS, and the ICO converges on consistent requirements:

• A documented operational resilience assessment covering important business services and cyber disruption scenarios, with evidence of testing
• SM&CR responsibility allocation for operational resilience, with the named senior manager demonstrably engaged in oversight
• MFA on all email accounts, client portal access, and back-office system access
• Cyber Essentials certification — the most widely recognised baseline security attestation in the UK
• A documented incident response procedure that includes FCA notification (for material cyber incidents) and ICO breach notification
• Monthly security monitoring reports demonstrating active, continuous oversight — the most credible form of ongoing compliance evidence for regulatory examination