Boards, executives, and Governance, Risk, and Compliance (GRC) teams must consider not only internal controls but also how third-party risks are governed, escalated, and reported. The draft, which is still open for public comment, shows that regulators are seeking integrated, proactive, and cross-functional oversight of cyber incidents across the full service ecosystem.
Boards, executives, and GRC teams are being called to rethink not only how incidents are reported, but why oversight, escalation, and accountability frameworks must evolve to reflect the realities of a highly interconnected financial system.
Third-party providers: expanding the risk horizon
Third-party relationships are no longer a matter of operational convenience, they are a strategic vector of risk and opportunity. Institutions must understand which providers underpin critical operations, how dependencies create systemic vulnerabilities, and how governance frameworks capture these risks at a board and executive level.
The draft reporting template underscores that regulators are seeking transparency and clarity in these relationships. While the specifics may evolve based on industry feedback, the underlying message is clear: boards and executives must ensure third-party oversight is embedded in strategy, not delegated solely to operational teams.
Key questions include whether institutions fully understand which providers are critical to operations, whether contracts explicitly address timely notification and co-operation during incidents, and whether accurate information can flow quickly enough to meet regulatory expectations.
Reporting timelines, template, and governance implications
The draft proposes a tiered reporting approach: an initial notification within 24 hours of classifying an incident, a follow-up update within 14 days, and a comprehensive report on a timeline agreed with the regulator. Although these are draft timelines and may change, they already highlight the need for robust cross-functional co-ordination.
Preparing the initial notification requires rapid collaboration across multiple teams. Information Security (InfoSec) investigates and documents the breach, Legal interprets contractual obligations with the third-party, Risk assesses operational and systemic impacts, and Compliance ensures accurate information is captured and communicated in line with draft expectations. As the incident progresses, this collaboration continues through the follow-up update and comprehensive reporting stages, ensuring that decisions at both the executive and board levels are informed by timely and accurate information.
Reporting is a lens through which boards and executives view institutional resilience. It is a practical demonstration of the governance, legal, risk, InfoSec, and compliance nexus in action. Understanding the workflow and integrating these functions, from incident detection to reporting, helps leadership to anticipate challenges, allocate responsibilities, and maintain both operational continuity and regulatory compliance.
The draft invites boards to consider whether governance structures and escalation pathways are robust enough to support rapid, informed decision-making in an increasingly complex ecosystem. Leaders must ask themselves whether escalation pathways reflect materiality and systemic impact. Are responsibilities and decision-making authority clearly defined across functions? Are there forums where potential incidents are anticipated, discussed, and challenged, rather than merely reported after the fact?
The nexus of governance, legal, risk, InfoSec, and compliance is the crucible where institutional resilience is tested. The draft invites leaders to use reporting requirements as a mirror to reflect the strength, clarity, and integration of their oversight structures.
Challenging the status quo
The question is no longer whether a breach might occur, but whether governance structures are prepared to interpret, escalate, and act in a complex, interconnected environment. The draft makes it clear: regulators expect reflection, integration, and action. not mere reporting.
I encourage my peers, boards and executive to debate these questions openly. Reflect not only on what must be done, but why these expectations exist. Institutions that embrace this reflection can convert regulatory guidance into strategic advantage.
The takeaway
We did not arrive at this point overnight. Increasing reliance on digital platforms, cloud providers, and complex third-party ecosystems have reshaped financial institutions’ operational landscape. Cyber and IT risks, which were once managed primarily by IT departments, now intersect with governance, legal, risk, compliance, and strategic decision-making. The FSCA and PA draft reflects this evolution, signalling that regulatory expectations must match operational complexity.
This is a moment to reflect how our approaches to third-party oversight, cross-functional co-ordination, and board engagement have evolved alongside digital transformation. By understanding not just what must be done, but why these expectations have emerged, boards and executives can use this consultation period to shape a more resilient, integrated, and forward-looking governance framework.
To translate insight into action, boards may consider scheduling a session to map critical third-party dependencies and review materiality thresholds before the draft is finalised. Institutions that take this opportunity seriously can transform regulatory guidance into a catalyst for strategic growth and systemic trust, a reflection of how far we have come and a blueprint for the future.
