Orange Cyberdefense On The New FCA Cyber Reporting Rules

And if you are running a business right now, you may have noticed there's a quiet shift happening. One that most people are still underestimating. And that is, your company doesn't live inside your network anymore. It lives inside the browser. That's where your SaaS apps sit. That's where your data moves. And increasingly, that's where attackers are focusing their attention. So Nord layer has just launched its new business browser. and it's designed specifically for small and medium sized companies that need visibility and control without the overhead of enterprise security tools. What I like here is the balance. You get advanced protection, better compliance and full visibility into how your team is working online but without slowing anyone down or forcing them to learn anything new. It feels like a practical step forward rather than another security layer that adds friction. So if you want to see more about how it works, please head over to Nordlayer .com slash browser and check it out and let me know your thoughts. But now on with today's show. What happens when a cyber attack against one supplier? suddenly becomes a crisis for hundreds of financial institutions. Well today on the Business of Cyber Security podcast, I'm joined by Ben Gibbons, Head of Financial Services and Insurance at Orange Cyber Defence UK. And together we're going to unpack the growing pressure facing financial firms as regulators tighten operational resilience. tighten operational resilience expectations across the UK and Europe. And this is not a theoretical conversation. More than 40 % of financial sector incidents typically involve a third party. And that's according to the FCA, which reinforces what many security leaders already suspect. Supply chain exposure is rapidly becoming one of the defining cybersecurity risks of modern business. So today Ben will talk about compliance with Europe's DORA framework. It doesn't automatically mean compliance with the UK's operational resilience regime and why many firms still underestimate the complexity of incident reporting and how vague regulatory definitions are forcing organisations to rethink their internal processes long before a breach ever happens. I will also discuss the F5 breach, targeting file transfer platforms, concentrating risks inside critical suppliers and why collective defence may become one of the most important cyber security strategies of the next decade. So if you do work in financial services, cyber security, risk, governance or operational resilience, this conversation is aimed at offering a timely look at how the rules of resilience are changing, but enough from me. Let me introduce you to my guest now. So thank you for joining me on the podcast today. Can you tell everyone listening a little about who you are and what you do? Yeah, no problem. So my name is Ben Gibbons and my official title is Managing Principal for Banking, Financial Services and Insurance at Orange Cyber Defence. But that doesn't really tell you much about what I do at all. Financial Services is the biggest market for orange cyber defense in the UK, and it's growing. And so we've got about 60 active clients of different shapes and sizes. But because of our size and our reputation as an organization, we're the largest managed security services provider in Europe. Our clients expect us to bring kind of thought leadership and to be up to date on topics and what's going on across the financial services sector. as well as the cybersecurity ecosystem and the threat landscape. So that's essentially my role, ensuring that we stay up to date when meeting the needs of our clients. What that actually entails is a lot of reading, talking to cybersecurity leaders, vendors, our partners, analysts, and subject matter experts across the business to make sure that the right people are connected. And there's so much that i want to talk with you about because after years of reading how users are being blamed for the weakest link in cyber security i was recently reading that the fca said that there i think it's something like more than 40 percent of cyber incidents reported in 2025. actually included a third party. So does that statistic confirm that supply chain exposure has become one of the most defining cybersecurity risks for financial services? Or is there more going on here? What did you take away from that stat? I think that it's definitely a headline. And it is correct. It's consistent with our findings as well. So we look at about 19 ,000 different incidents that are in cyber defense across the world, so across sectors, across jurisdictions. And that's pretty much consistent with our own findings as well. So there's a number of reasons for that. The first one is that organizations are becoming more and more interconnected in terms of their supply chains. And things like adopting AI and adopting cloud services, they all contribute to that reality. The other thing is that actually being able to target a third party can often be a lot more fruitful than targeting a mature organization particularly. So maybe a couple of examples that we've seen just to give anecdotes in October last year. F5 disclosed that a nation -state actor had breached its systems and exfiltrated source code and information about undisclosed vulnerabilities. To put that into perspective, F5 is used by about 80 % of Fortune Global 500 companies. There's not a slight on F5, but it just gives you the insights into the potential impacts of the supply chain. And I think that regulators and governments are realizing that actually targeting supply chains can have a detrimental and disproportionate effect on our society and on our critical national infrastructure. If you are able to target a concentration risk, as we call it within the third party realm, you can cause really substantial and consistent damage. Maybe another example. that you might be interested in. This all comes from our security navigator, which we publish once a year on our findings and our research. It's a cyber extortion actor called Klopp. It has a reputation. I built up a reputation in Q1 2025 for its large -scale attacks targeting commonly used file transfer platforms. and through that they were able to impact hundreds of victims. So just to give you a statistic, a single event leading to many, many victims accounted for around 18 % of all cyber extortion victims that are in cyber defense recorded in Q1 of 2025, just to give you an idea of the scale. Wow, that really does bring it to life there. We will have many people listening inside of organizations around the world that assume that if they're already working toward compliance with regulations like financial conduct authority, DORA requirements, then that's it. They're covered. But can you expand on why that assumption could actually create problems, especially as that March 2027 FCA deadline continues to get closer? Once upon a time, it seemed a long way away. it is getting closer, isn't it? Yeah, absolutely. Um, so the first thing to understand, um, I guess is why you might make the assumption that if you're, um, aligned to Dora and you've implemented Dora, um, then you should be fine with the supervisory authorities, um, operational instant and third party reporting policy, which is part of their wider operational resilience regime. And that is, um, that both Dora. and the UK's operational resilience regime are trying to achieve the same thing. So they both talk about critical national infrastructure and important sectors, well, financial services for DORA as critical national infrastructure. And they're both concerned with operational resilience, which is, I would say, the recognition that protection isn't enough. You also need to be able to deal with an incident when it does occur and it will inevitably occur. and because of the complexity of the landscape and the challenges that we've got. So the other thing that might make it quite confusing for listeners is that Dora has got five key pillars, and all of those pillars are also covered by the operational resilience regime. So we're talking about risk management, we're talking about instant management and reporting, third party risk management, both of those, the last two that I just referred to. are obviously in the title of the policy that we're discussing today. And then there's also testing and information sharing. So even down to the chapters, as they're called in Dora, but the high level topics, both regimes are talking about the same thing. Now, that's why you might get them confused. But actually, they are completely different regimes. So Dora, impacts any organization in financial services that operates within the EU. And many UK firms do that because of the size and the health of our financial services sector. Whereas the FCA and the PRAs joint regime target UK based organizations. So I suppose to compare and contrast them, operational resilience regime in the UK is outcome led. So the focus really is on identifying important business services and protecting them. Whereas Dora is rules -led and it's all about securing the technology. And in my opinion, it reads somewhat like an ISO standard in that sense. So they're both trying to do the same thing, but they take different approaches in doing that. The difference between the two regimes is that the operational resilience regime in the UK is outcome -led and the DORA regime is rules -led. The UK regime is focused on identifying your important business services, establishing the tolerances, your impact tolerances. For example, a critical service may only be tolerant to your organization for that service to be down for four hours. You need to establish the components that make up that service. and then test severe but plausible scenarios. Whereas the DORA regime is rules -led and it reads somewhat like an ISO standard. So the challenge with that is that if you meet DORA, then you've secured your IT, but you haven't met the UK regulators' requirements to map how your people and your processes and your third party support those business services. Alternatively, if you followed the operational resilience regime in the UK, then you've likely got strong business continuity and disaster recovery capabilities, but you might fall foul of the DORA regime. So really what we're here today to talk about is for UK organizations to understand that... actually there is something that they need to do when it comes to this new operational incident and third party reporting policy. And if they don't do it, they may fall foul of the regulators. Another one of the major themes in these new rules is the visibility into third party dependencies and indeed interconnected infrastructure. And just to take a peek behind the curtain for a moment, why is mapping digital supply chains become so difficult in modern financial service environments? What's been going on here? What's the cause? So I would say that historically, the way that the industry has done third party risk management has not been fit for purpose. And I'll elaborate on that. So I think there's more of a recognition from regulators and from the market as a whole that in order to really manage your supply chain, you need to be able to continuously monitor it. So understand the changes that are occurring, often in real time, and also be able to understand that supply chains are an interconnected web rather than a kind of a single point and that it's more than just third -party risk. We're talking about fourth -party, fifth -party, nth -party risk and really concentration risks at that level. So there's a recognition that we need to do more to really secure our organizations and the industry and this is really a step towards doing that. The FCA is emphasizing faster, clearer and more structured incident reporting, all makes perfect sense, but in the middle of a live cyber incident, organizations are already dealing with operational chaos and the phone constantly going, people wanting updates, for example people running around with laptops looking busy, but how realistic is it for firms to deliver that meaningful reporting in real time without major changes to internal processes, especially when they're caught right in the eye of the storm there with that operational chaos. I think that's a good question. So without changes to their internal processes, I don't think it's realistic. So the regulators have said that for 90 % of organizations, well, the FCA really for 90 % of organizations that come within the scope of the operational incident reporting requirements. they will only need to answer the standard set of questions, which is about 10 questions, and they're obliged to do that within 24 hours. So if you haven't really considered the policy and the requirements of the policy and how operational resilience, operational incidents relate to your organization, then you won't be able to do that or you will struggle to do that whilst you're kind of trying to get all hands on deck to deal with operational incidents. The reason I say that as well is because the policy is both prescriptive and not prescriptive, and I'll elaborate on that. So the FCA and the PRA, which combined are the Supervisory Authority, have agreed on the definition of an operational incident. And that is essentially a single or series of events which disrupts firms' operations such that it disrupts the delivery of a service to an end user external to the firm or impacts the ability, authenticity, integrity, or confidentiality of information or data relating or belonging to such an end user. The reason that I share that definition is because it's open to interpretation. it's not clear, it doesn't give you quantitative conditions under which you need to inform the regulators of an incident. That's by design. The regulators have taken the stance that organizations should have a better understanding of what an operational incident, a material operational incident is. They should be interpreting that definition. and defining it. If you haven't considered that as part of your internal processes and embedded those considerations into your internal processes, you will struggle to do that during an operational incident and the consequences could be severe. In fact, the regulators have actually been quite vague about the consequences, I think intentionally, because they do have some significant powers. but they also want to be proportionate as well. So is it realistic for you to be able to, during an incident, report on, in most organizations' cases, 10 simple questions? I think yes. Is it realistic if you haven't done the work to actually understand the policy, interpret it, and familiarize yourself with what you need to do? I would say no. Going back to the prescriptive and non -prescriptive element of this as well, the non -prescriptive side is that they've provided a definition and they've provided thresholds, and that's up to you to determine how to interpret that within your business as long as it makes sense, essentially. But they've been very prescriptive on how you have to report that information. So you're going to have to report that using the FCA Connect portal. And that's both for the PRA and the FCA. And you have to use a standardized template, an Excel spreadsheet, essentially, which gives you very specific information that you need to share with them. And I think we've all been on the wrong side of outages involving big providers from CloudFlare to Amazon Web Services, which have all demonstrated how a single third party issue can ripple across entire industries. In some cases, it feels like half the internet has disappeared and all your apps or your SaaS apps disappear very quickly. So what lessons do you think financial institutions should maybe take from those high profile incidents when thinking about resilience? and concentration risk. Any big lessons there? So I think the biggest lesson that the regulators are trying to enforce as well is about operational resilience. So when I say that, it means that protection is not enough. To try and protect yourself or believe that organizations and the critical suppliers that you rely on are not going to suffer outages and incidents I think is a mistake. So really it's very important to have business continuity, disaster recovery, resilience embedded into everything that you do in your critical services, really, and your important business services in this case. And that means making sure that you've got a plan, making sure that that plan is tested, making sure that you've considered severe but plausible scenarios, which is what the regulators talk about. So that if an incident does happen, you have experience, you understand the plan and it's tried and tested so that you can maintain that kind of tolerance of your services and your systems. Big thank you to Denodo for supporting the Tech Talks Network and making these conversations possible. Because when your lake house stores the data, the real challenge is getting that data where it needs to go and faster. And your lake house stores the data, but Denodo helps deliver it faster. So with real -time access, built -in governance and a business -ready data marketplace, Denodo can help your teams unlock insights without costly duplication. And you can learn more by simply visiting denodo .com. There's also always been a somewhat tension between regulatory compliance that must be done and the reality of all the operational reality that's inside every organization. So I'm curious from those conversations you're having with firms today, where are organizations most unprepared when it comes to meeting these FCA expectations when they are trying to balance it with operational reality, alert fatigue and everything in between? That's a good question. So I would say that with large organizations that are regulated, dual regulated, so regulated by the PRA and FCA, they should already be meeting many of the requirements of this policy in the sense that they should have outsourcing policies or third party or supply chain risk policies. They should have processes in place. They should have instant response processes and plans, and they should be tested regularly. They should have business continuity and disaster recovery plans in place. What they won't have is very specifically aligned processes and policies. And that's consistent with what the regulators expect to happen as well. So every time that the regulators implement a new policy or changes, they have to do a cost benefit analysis. They estimate that there'll be around 12 to 25 million pounds in expenses as a result of implementing these policies. So the idea is that most organizations, there shouldn't be some really significant changes that need to come into play. However, for smaller organizations, there probably will be. significant processes that need to go into place. They may not be doing the prerequisite activities that are required in order to get to the position where you can report on your material third parties and your operational instance. I think it's a fair comment that organizations are struggling with things like alert fatigue and definitely security teams that we're speaking to and security leaders have got 101 things on their plate. The good thing about regulation is that it forces organizations to prioritize building their capabilities up. So I am supportive of regulations, but one of the challenges is actually in terms of providing this information, what's the value that the regulators are kind of going to get out of that? Now, the regulators have provided the rationale behind collecting this information. But that is a question. It's going to require additional effort and additional resources from firms, even if it's just to understand what the obligations are, and there's minimal changes that are required. And that does take away from the kind of the day -to -day activity. But in the same time, it raises the bar. So I guess generally, I am supportive of it. And it gives us a great excuse to talk about operational instance, the importance of planning for operational instance. the importance of operational resilience and the importance of supply chain risk management. And I know you've said regulators and the private industry need to collaborate more closely to tackle systemic supply chain risks and some of the things that we're talking about today. But in the real world, what does meaningful collaboration actually look like in practice, especially when some organizations might be reluctant to share sensitive incident data? There's somewhat of a balancing act there and a great deal of trust as well, right? I think that's a a good point that organizations, you know, just to kind of really pick up on the point that organizations are potentially reluctant to share information with one another. So I'd like to kind of elaborate on that one. So it is true that competitors, organizations, you know, banks, insurance organizations, or insurance firms, they are competitors. But when it comes to cybersecurity, they aren't competitors, they have adversaries, they have shared adversaries and we need a collective defense and that's important for our society but it's also beneficial to kind of crowdsource anonymously in many cases intelligence that helps you to bolster your defenses. So there are organizations out there that support collaboration One of them, for example, is in the insurance sector is the Lloyd's Market Association, where market authorities or agents collaborate essentially on many things including cybersecurity to strengthen the market as a whole. So I do think that even though in some ways organizations might see themselves as competitors within cybersecurity, there's a recognition that we're all fighting the same battle. And we actually see that quite a lot within our clients and our industry. So one of the things that our clients really enjoy about our own cyber defense is our communities. And we see that actually across the partners that we work with as well. So building these CSO communities and collaborating and discussing kind of the collective challenges that we have. and how we work together to overcome them. So a great example of that actually is that Orange Cyber Defense hosted a series of dinners with financial services leaders, so CISOs, to discuss operational resilience in practice, so away from kind of policies and away from regulations and what the real challenges are there. One of the real challenges that came out of those discussions actually is visibility of the extended supply chain and understanding concentration risks. When asked, and I asked about 24 CISOs from all across the financial services sector, some very major organizations, The real challenge was actually they had visibility of third parties and in some cases, fourth party, but beyond that, it was a total black box. So collaboration with the sector doesn't just mean collaboration amongst organizations, but it also means collaboration with threat intelligence providers and Orange Cyber Defense is a leader in threat intelligence globally. but also the innovators in the space. One of the real benefits that I get being in the position that I am at a large cybersecurity company is that I get to work with some of these disruptive platform providers. And one of those is a company called Grisledger. And the real differentiator that they've got is their Enth party mapping, and they provide lots of information on this online. But essentially, they have 16 ,000 suppliers on their platform. And they use that to develop a better sense of concentration risk across various levels of the extended supply chain anonymously. And they provide that back to their community anonymously. So you can contribute to that, but you're not being identified to do that. The real benefit there, both for the industry and also the regulators, is there is innovation. We have a very strong and innovative cybersecurity sector within the UK, and there's knowledge and innovation in the private sector that can support the regulators with their purposes of this policy. Maybe if you're human me now, I would say that the three purposes of collating information in regards to operational instance and third party risk is the regulators want to improve their ability to triage sector impacting instance more effectively. They want to develop thematic analysis to identify trends and insights that will drive future policies and policy updates. They want to better understand the interconnectedness of supply chains and extended supply chains, which is what we would call concentration risks. I think that partnering with cybersecurity companies that provide threat intelligence, and we'll often do that for free. Orange Cyber Defense is very supportive of the public sector in the UK and very open and happy to provide threat intelligence for free. organizations that are disruptive in the way that they approach things like third party risk management and also partnering with incident responders and organizations themselves that are happy to kind of contribute and that have contributed through the consultation is a way to do that. And looking ahead, I'm curious, do you think these new FCA rules are at the beginning of maybe a much broader global shift towards stricter cyber resilience accountability for third party ecosystems? And if you do, I mean, what does that mean for the future of cybersecurity leadership in regulated industries? It feels like there's a lot going on here. So in regards to the first question, I think that the UK financial services sector and the UK in general are mature in terms of their cybersecurity capabilities. It's one of the most mature markets in the world. And because of that, they are somewhat of a barometer for change and what's coming kind of across the world. Now, we did see DORA release their regulate or the EU released the DORA regulation. And we have our own regulation as well. And this is a reiteration, let's say, of our operational resilience regime. So from our perspective and our closest economic partners in the EU, this is a continuation of the emphasis on operational resilience and the importance of truly recognizing or truly dealing with extended supply chain security. And I think that will be replicated in other markets across the world, and it will need to be replicated in different countries and different areas across the world in order for those companies to keep their societies and their economies secure. In regards to what it means for the future of cybersecurity leadership in regulated industries and financial services industries, I would go back to the to the comments that we made or the conversation that we had a little bit earlier, which is there has to be a recognition that this is a group activity and this is a effort that everyone needs to support and we need to collaborate with one another. No organization can manage its extended supply chain on its own. And I think the regulators and the government recognize that. I think that many leaders within financial services, particularly at the firms that we work at, recognize that. And they're already contributing to forums, they're already very willing to discuss with us and to utilize our communities, but also discuss with kind of innovators that are sharing information, whether that be threat intelligence, or approaches to third party risk management. And I think there needs to be a combined effort for organizations, not just in financial services, but across the board to put greater emphasis on the security of the third parties that they work with. And I think that can be challenging, especially in the era of AI, when organizations are worried about, have FOMO. So they're worried about not, if they don't embed AI into their processes and they're not utilizing the newest technology. They might lose their place in the market, which leads to shadow AI, which isn't managed by security teams. It leads to processes not being followed in many cases, or not really a real understanding of the way that we're using technology and the exposures that we're putting ourselves to, especially in regards to data security. I think that the government recognizes that, which is really good to see. As I mentioned to you off the podcast, I was at Cyber UK in Glasgow a couple of weeks ago, and Dan Jarvis, who I believe is the Minister for Security, certainly a prominent member of the government, announced that he will be or the government will be pledging £90 million towards operational resilience within the supply chain, and that is essentially ensuring that organizations are adhering to the cyber essentials, the cyber essentials framework. And the public sector bodies are pledging essentially to only use organizations that at least meet the cyber essentials framework requirements. And that is one way to strengthen the supply chain. But of course, it's going to be a continuous effort. to do that and a continuous effort as well to recognize is the limitations on outsourcing and the need to actually have compensating controls and defense in depth, which is having, for example, for important business services, secondary suppliers and non -linked elements within your disaster recovery, your business continuity. And I think that is a powerful moment to end on so much food for thought there and I cannot thank you enough for taking the time to sit down with me today and demystify some of those Financial Conduct Authority and DORA requirements put it all in a language that everyone can understand and especially inside any organization and as that March 2027 FCA deadline approaches anyone listening that would like to continue this conversation with you or your team. Where would you like me to point out? everyone. I would be more than happy for people to contact me on LinkedIn. Alternatively, contact Orange Cyber Defense. The other thing that I would say is that even if you're not interested in contacting Orange Cyber Defense at the moment to discuss this, we do share a lot of threat intelligence information in a mechanism that can be read by and kind of anyone through our security navigator reports. And that's about 100 pages worth of threat intelligence and our views on where things are going, including third party risk, including our insights from, as I said, the 19 ,000 true positive instance that we dealt with last year. And the other thing that I would recommend that people do is take the time to actually read. the guidance that the FCA and the PRA provide. They are obliged to provide not only their rules, but also the rationale behind their rules, as well as the challenges that have been posed during consultation. And I think that those are really useful documents for understanding what's coming in the future, but also the requirements that you need to adhere to now. But as I said, I'm very happy to talk to your listeners on a one -to -one basis about the rules. Perfect, thank you so much. So for everybody listening, if you go over to techtalksnetwork .com, there will be a blog post associated with this episode and there'll also be a section of useful links there. I'll include links to everything you mentioned there, including the security navigator report, the guidance documents, your website and LinkedIn, et cetera. So I will include everything there. And I urge people to get in touch, let you know, let me know what they thought of everything we covered today. also how it might help, some of the challenges they've come across. It'd be great to share everything together there and work that way forward together. But thank you for starting this conversation today, Ben. Been a real pleasure. Thank you for having me, Neil. So a big thank you to my guests for joining me today and helping unpack what is becoming one of the most important shifts that is happening in cybersecurity right now. And I think this idea that resilience is no longer limited to protecting your own environment is quite striking because organisations are now being judged on how well they understand their dependencies, suppliers, platforms and interconnected systems that are sitting behind their critical business services. And this changes the conversation completely because it's no longer simply just an IT issue or a compliance exercise sitting in a spreadsheet somewhere. Operational resilience is becoming a board level business priority, especially as regulators demand faster reporting, clearer accountability and deeper visibility into third party exposure. And I thought Ben made an important point there about collaboration. Cyber criminals already operate as highly connected ecosystems that are sharing tools, techniques and infrastructure. And defenders are increasingly realizing they cannot treat resilience as a competitive advantage that they keep behind closed doors. So if you'd like to learn more about Orange Cyber Defence UK, the security navigator research we referenced or the FCA and PRA guidance discussed today. I'll have links to everything in the show notes, please check it out. And I'd love to hear your thoughts after listening. Pop over to techtalksnetwork .com, let me know your thoughts on anything we raised today. And are you and your organization genuinely prepared for this new era of operational resilience? Or are your teams still treating supply chain security as somebody else's problem? Lots to think about. And I've taken up far too much of your time. So you have a think about that. Let me know your thoughts and I'll return again soon with another guest. Thanks as always. Bye for now.