FCA CQUEST

The FCA's questionnaire to help to understand firms' cyber resilience capability

CQUEST

The FCA and PRA have created a self-assessment questionnaire to help both firms and the regulators to understand their cyber resilience capability at a high level.

CQUEST consists of multiple-choice questions covering aspects of cyber resilience, such as:

Does the firm have a board-approved cyber security strategy?
How does it identify and protect its critical assets?
How does it detect and respond to an incident, recover the business and learn from the experience?

The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development. If you would like to complete the questionnaire please email: CQUEST@fca.org.uk.

Reporting a cyber incident

Under Principle 11 of the FCA Handbook, you must report material cyber incidents. An incident may be material if it:

results in significant loss of data, or the availability or control of your IT systems
affects a large number of customers
results in unauthorised access to, or malicious software present on, your information and communication system

How to report a cyber incident

1. If you judge a cyber incident to be material, report it as follows:

Fixed firms should contact their named FCA supervisors, and flexible firms should call 0300 500 0597 or email firm.queries@fca.org.uk.
If your firm is dual-regulated, you should also contact the Prudential Regulation Authority.
If the incident is criminal, you should contact Action Fraud or call them on 0300 123 2040.
If the incident is a data breach, you may need to report it to the Information Commissioner's Office.

2. Refer to the NCSC guidance on reporting incidents.

3. Share on the CiSP platform.