FCA SYSC
FCA's Senior Management Arrangements, Systems and Controls sourcebook — the conduct cyber rules for regulated firms.
FCA-regulated firms; expectations vary by firm size and activity.
Continuous evidence pipeline available; audit support included for all customers.
What FCA SYSC actually requires.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Senior Management & Certification Regime — named individuals accountable for cyber risk.
Systems and controls including cyber, operational resilience, and outsourcing.
Notification to FCA of material cyber incidents.
Pre-mapped controls. Continuous evidence.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
SMCR-aligned accountability matrix.
Material incident notification draft to FCA.
Artifacts your auditor accepts.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
SMCR accountability mapping.
Incident notification register.
One evidence base. Many regulators.
These frameworks share substantial control overlap with FCA SYSC. Customers running one assessment typically satisfy the others with the same evidence base.
PRA SS1/21
United Kingdom
The PRA's supervisory statement on operational resilience for UK banks, insurers, and PRA-designated investment firms.
DORA
European Union
The EU Digital Operational Resilience Act — applies directly to financial entities and designates critical ICT third-party providers as supervised.
Ready for FCA SYSC?
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.