Cyber risks in financial services – What are the financial reporting obligations?

Section 414C of the Companies Act 2006 requires that the Strategic Report contains a description of the principal risks and uncertainties facing an organisation. When cyber or other digital risks are considered a principal risk, the FRC recommends disclosures. This includes a description of the entity-specific risks and opportunities connected to cyber and digital security, both now and in the future, as well as explanations about mitigating actions.

The strategy disclosures should be coherent and consistent with the principal risks and uncertainties disclosures. It should be explained how the business model and strategy of the organisation have been shaped by cyber and digital risks. Key performance indicators (KPIs) used by management to monitor the execution of the cyber and digital strategy should be disclosed and discussed. These disclosures are required under Section 414C of the Companies Act 2006, if they are needed to explain the development, performance and position of the organisation.

When digital or cyber risks do not pose a significant or principal risk to the organisation, disclosure would not be required or is even discouraged as they introduce unnecessary clutter.

Entities that report under the UK Corporate Governance Code may also need to include disclosures about their cyber and digital strategy to comply with the Code (or explain why they do not comply).

If cyber risks pose a threat to the long-term success of an organisation or digital opportunities are vital for the viability of a business, then these risks may need to be considered in the viability statement produced under the UK Corporate Governance Code 2024. The FRC stresses the importance of linkage and consistency between the descriptions of the principal risks and uncertainties, strategy and viability disclosures.

Section 414C of the Companies Act 2006 requires a description of the development and performance of the business during the financial year, and of the position business at the end of that year. 

If an incident, such as a cyber-attack, has taken place during the reporting period, under the FRC guidance, the disclosures should highlight the impacts of the events (internal and external) and the resulting actions and activities.

The FRC’s Corporate Governance Code Guidance refers to cyber security. It states that the Board plays a crucial role in strategically approaching cyber security, ensuring operational resilience and continuous functioning of the business and refers to the UK Government’s Cyber Governance Code of Practice (2025). The Bank of England has provided guidance on effective management practices in “Effective practices: Cyber response and recovery capabilities to management of financial institutions”.

Disclosures may need to include an explanation of the governance processes of cyber and digital risks and how this links with other governance processes. The FRC recommends disclosures of the oversight procedures and processes, culture and relevant skills in the organisation. There should be a clear linkage from the governance disclosures to the strategy and risk disclosures.

For the preparation of the annual report and accounts, directors have to assess whether the business will continue as a going concern for a period of at least 12 months from the date the financial statements have been issued. If there are significant risks arising from cyber or other digital activities, then these need to be taken into account in the going concern assessment.

If there are material uncertainties about the ability of the business to continue as a going concern, for example, as a result of a cyber incident, then the uncertainties need to be disclosed. Should the business no longer be considered a going concern, the basis of preparation of the financial statements will need to be reassessed, and disclosures need to be included in the financial statements.

It is not permitted to present expenses incurred in relation to cyber incidents or other events as extraordinary in the financial statements. If the expenses are material, they should be disclosed separately, either as a separate line item on the face of the income statements or in the notes to the financial statements.

Costs for any fines or other obligations resulting from cyber events may need to be provided for or disclosed as contingent liabilities. Recoveries expected from insurance or other reimbursement rights, can only be recognised as an asset when virtually certain.

A cyber incident at the organisation, at a customer or supplier, may be an indicator of impairment, which then triggers an impairment review of non-financial assets. Cyber and digital risks and their impact on customer receivables, loans and other financial assets will need to be considered as factors in impairment assessments.

Costs incurred to protect against cyber-attacks or upgrade digital systems need to meet certain recognition criteria in order for a business to capitalise them. The accounting requirements can be complicated to apply, particularly for cloud computing solutions. Costs related to training, awareness, or general IT maintenance are typically expensed.

If a cyber incident occurs after the reporting date but before the financial statements are authorised for issue, then the impact on the financial statements needs to be considered. Other events, for example, the settlement of a legal claim relating to a cyber event, also need to be assessed whether they give rise to an adjustment in the financial statements or need to be disclosed.