UK financial firms must now adopt a security-led approach to their assets, dependencies, and risks, to demonstrate they can recover within defined impact tolerances, following the enforcement of the FCA and PRA’s operational resilience rules for critical third parties (CTPs) on March 31 2025, says Panaseer CEO Jonathan Gill.
The rule mandates that UK financial firms – including banks, insurers, and investment firms – ensure critical services remain operational during disruptions.
The FCA has previously cautioned that many firms fail to identify essential services or assess risks to vulnerable customers.
Panaseer is a cybersecurity automation and data analytics company that supports organisations in preventing avoidable security breaches.
In an emailed statement to International Accounting Bulletin, Gill said: “The FCA’s reasoning has always been clear: even with the best will in the world breaches keep happening, and ensuring operational resilience is critical. Throughout the transition period the FCA has repeated two things. First, that mapping is the crucial element behind greater operational resilience. And second, that this mapping is not a one-and-done process, but one that will mature over time.
“Doing this successfully demands a reliable, centralised system of record, so firms can operate on facts rather than assumptions. This needs to be trusted and transparent, so all stakeholders accept it provides truthful data. It needs to be configurable, so it reflects the organisation as it is instead of a best-fit approximation. It needs to make data understandable by all stakeholders, especially at the business and non-technical level, so they can make appropriate decisions about risk. And it needs to be actionable, so any data-driven insights can be translated into concrete action,” Gill added.
“The challenge is that while other areas of the business have tools that will give them the intelligence they need and act as a system of record, too often CISOs are left to struggle without. Addressing this inequality will help organisations demonstrate how assets map to important business services, provide clear ownership and accountability, and prove they can recover within defined impact tolerances.
“Doing this will help ensure the FCA’s demands aren’t a box-ticking exercise, but a way to increase resilience and control risk,” Gill concluded.
Recent disruptions at Barclays and Lloyds highlight a growing concern, with a Treasury Committee report revealing that major banks faced more than 33 days of outages over the past two years, preventing customers from accessing their funds.
If firms are unable to adequately safeguard their own assets, they lack the resilience regulators expect—particularly in terms of managing risks posed by third-party providers.
