This FCA PS24/16 cloud security guide covers the essentials for your business. FCA PS24/16 – the Operational Resilience Policy Statement – came into effect on 31 March 2025. Edinburgh financial firms subject to FCA supervision must now map their Important Business Services, set impact tolerances, and test that they can remain within those tolerances during disruptions. The part most firms haven’t addressed: cloud services sit squarely within scope as important third parties, and shadow IT creates unmapped cloud dependencies that the FCA will ask about (NCSC Cloud Security Guidance).
TL;DR: FCA PS24/16 requires Edinburgh financial firms to map, test, and maintain resilience for Important Business Services – and cloud services count as important third-party dependencies. 67% of FCA-regulated firms rely on cloud for IBS delivery (FCA, 2024). Edinburgh IFAs, wealth managers, and FCA-authorised law firms face three concrete obligations: mapping, tolerance-setting, and resilience testing. This article explains what each means in practice.
What PS24/16 Actually Says About Cloud
Most PS24/16 guidance focuses on business continuity in broad terms, according to FCA supervisory guidance (2025). The cloud-specific implications come from two sources: the FCA’s Supervisory Statement SS1/21 (operational resilience, extended to all FCA-regulated firms) and the FCA’s Third Party Risk Management framework published alongside PS24/16 (ICO Data Protection Guidance).
Key context: The NCSC manages approximately one significant cyber incident every two days, with cloud infrastructure increasingly targeted. 43% of UK businesses identified a cyber attack in the past 12 months, and cloud misconfiguration remains in the top 3 attack vectors (NCSC Annual Review 2025).
The key phrase is “important third parties.” Under PS24/16, any service provider – including a cloud platform – whose disruption would cause a firm to breach an impact tolerance is an important third party. For Edinburgh financial firms, this includes Microsoft Azure and Microsoft 365, client portal platforms hosted on SaaS infrastructure, cloud-hosted compliance and KYC/AML systems, and any cloud service holding client data that affects your ability to deliver regulated services (Gartner).
The FCA’s expectation is not that cloud services are risk-free. It is that firms understand their cloud dependencies, have defined how long they can operate without each service, and have tested whether they could actually recover within that timeframe.
What Is the Three Obligations: Mapping, Tolerance-Setting, and Testing?
FCA supervisory guidance (2025) found that PS24/16 creates three concrete obligations for Edinburgh financial firms. Understanding each is essential before an FCA supervision review.
Obligation 1: Mapping
Mapping means documenting every process, system, and third party involved in delivering each Important Business Service. For an Edinburgh IFA, a typical IBS might be “provide investment advice to retail clients.” Mapping that service requires documenting which staff perform it and from where, which technology systems they use, which cloud providers host those systems, and which data flows occur and where data is stored.
The FCA does not prescribe a mapping format, but expects firms to present complete maps during a supervisory review. Many Edinburgh IFAs have never formally documented these dependencies. PS24/16 requires them to.
Shadow IT creates the most dangerous mapping gap. If a financial adviser uses a personal ChatGPT subscription to draft suitability report summaries, and that tool is processing client data, it is an unmapped cloud dependency. The FCA’s question will not be “did your authorised systems stay up?” – it will be “can you prove no unmapped dependencies affected your service delivery?”
Obligation 2: Impact Tolerance-Setting
An impact tolerance defines the maximum time a disruption to an IBS can last before causing intolerable harm to clients or market integrity. Edinburgh firms must set tolerances in concrete terms – not “as quickly as possible”:
- Client data unavailability: Maximum time clients can be without access to their records
- Transaction processing delay: Maximum time investment transactions can be delayed
- Communication disruption: Maximum time client communications can be interrupted
For most Edinburgh IFAs, realistic impact tolerances are 24-72 hours for non-time-sensitive services and 4 hours or less for services involved in market transactions.
Our finding: When we work with Edinburgh FCA-regulated clients on PS24/16 mapping, most firms initially set tolerances that are aspirational rather than tested. The FCA expects tolerances based on actual recovery capability validated through testing. Mapping exercises consistently reveal that actual recovery capability is 2-3x longer than firms assumed.
Obligation 3: Resilience Testing
Testing means demonstrating that your firm can remain within its impact tolerances during a disruption scenario. The FCA expects testing to become increasingly severe over time – from tabletop exercises toward actual simulation of disruptions. Relevant cloud resilience tests for Edinburgh financial firms include:
- Microsoft 365 outage simulation – Can staff access client records via fallback systems if M365 is unavailable for 24 hours?
- Cloud backup restoration test – How long does it actually take to restore from your last backup?
- Third-party access revocation test – If your cloud CRM vendor became unavailable, could you access client data within your tolerance period?
Citation capsule: FCA PS24/16, which came into effect 31 March 2025, requires all FCA-regulated firms to map Important Business Services, set impact tolerances, and conduct resilience testing (FCA Policy Statement PS24/16, November 2024). Cloud services – including Microsoft 365, SaaS compliance platforms, and third-party data processors – are explicitly in scope as important third parties. Edinburgh IFAs, wealth managers, and FCA-authorised solicitors must document and test their cloud dependencies as a PS24/16 priority.
How Shadow IT Creates an Unmapped Cloud Dependency
The FCA supervisory guidance (2025) shows that the most common PS24/16 compliance gap for Edinburgh financial firms is shadow IT – cloud applications used by staff that are not documented in any IT or compliance register.
Consider this scenario: a financial adviser uses a personal ChatGPT Plus subscription to draft suitability report summaries. The AI tool processes client data – name, age, risk profile, investment objectives, holdings. This creates an unmapped cloud dependency (OpenAI infrastructure), a potential UK GDPR Article 28 breach (no data processing agreement), and a PS24/16 mapping gap.
If the FCA asks “can you demonstrate your suitability report process was unaffected by third-party cloud disruptions?”, the honest answer is “we don’t know – we didn’t know staff were using this tool.”
What the FCA Will Ask in a Review
Based on PS24/16 and published FCA supervisory guidance, Edinburgh firms should expect questions including:
(FCA supervisory guidance, 2025).
- Show us your Important Business Services inventory
- What are the impact tolerances for each IBS?
- How did you identify your important third parties – does your list include cloud providers?
- When did you last test your resilience for each IBS?
- What happened when testing revealed a tolerance breach?
Firms unable to answer the first three questions are likely to receive supervisory action.
What Is the Five-Step Cloud Resilience Checklist for Edinburgh Financial Firms?
Step 1: Map your Important Business Services. List the services your FCA authorisation covers. For each, document every cloud system used in delivery.
Step 2: Identify your important third-party cloud providers. For each cloud system, confirm: Who hosts it? In what country? What is their SLA? What is your contractual right to data recovery?
Step 3: Run a shadow IT discovery. Use Microsoft Defender for Cloud Apps (included in M365 Business Premium) to identify all cloud applications accessed by staff. Add business-relevant discoveries to your IBS mapping.
Step 4: Set and document impact tolerances. For each Important Business Service, document the maximum acceptable downtime in hours – not vague terms. Confirm the tolerance is realistic based on actual recovery capability.
Step 5: Test and record. Conduct at least one tabletop resilience exercise per IBS per year. For critical services, conduct a real recovery test. Document outcomes and gaps identified.
The FCA’s PS24/16 guidance makes clear that firms are expected to improve resilience posture over time – not achieve perfection immediately. The supervisory risk is not having gaps; it is having gaps with no plan to close them. Edinburgh firms that can demonstrate a structured programme of mapping, testing, and remediation are in a defensible position even if the programme is not yet complete.
Citation capsule: FCA PS24/16 requires firms to set impact tolerances defining the maximum time each Important Business Service can be disrupted without causing intolerable harm (FCA PS24/16, November 2024). Cloud services including Microsoft 365 and SaaS compliance platforms are important third parties under the framework. Edinburgh financial firms must document these dependencies and demonstrate they have tested recovery within defined tolerance periods.
What Is Related Articles?
- Cloud Security Guide for Edinburgh Businesses
- FCA Cyber Security requirements Edinburgh
- Cyber Insurance MDR Requirements
PS24/16 Specific Requirements: What the Policy Statement Actually Says
FCA Policy Statement PS24/16, published in November 2024, finalised the rules on operational resilience for third-party and technology risk. It builds on the earlier Discussion Paper DP22/3 and the preceding Consultation Paper CP24/7. Understanding the specific requirements – rather than the general framing – is essential for Edinburgh firms assessing their compliance obligations.
The core requirement is that firms must identify and manage risks arising from their use of third-party services and technology infrastructure. For cloud-dependent firms – which now includes virtually every Edinburgh IFA, wealth manager, and financial services firm of any size – this means formal oversight of cloud service providers as part of your operational resilience framework.
Key specific requirements under PS24/16 include:
- Critical Third-Party (CTP) designation: The FCA has powers to designate certain technology providers as systemically important “critical third parties.” AWS, Microsoft Azure, and Google Cloud are expected to be among the first designations. Firms using these providers must demonstrate they’ve assessed the concentration risk and have appropriate contingency plans.
- Enhanced due diligence: Firms must conduct and document due diligence on material outsourcing arrangements, including cloud services. Due diligence must cover security controls, business continuity, data residency, and sub-contractor arrangements.
- Contractual requirements: Cloud service agreements must include specific provisions around audit rights, notification of security incidents, business continuity obligations, and data deletion on termination. Generic enterprise cloud contracts don’t automatically satisfy these requirements.
- Business Services mapping: Firms must map their Important Business Services (IBS) to the underlying technology that supports them – including cloud infrastructure. This mapping must be maintained and tested.
- Incident reporting: Material operational incidents, including security incidents affecting cloud-hosted systems, must be reported to the FCA within defined timeframes.
The Timeline: What Applies When
PS24/16 has a phased implementation timeline that Edinburgh firms need to understand to prioritise their compliance work.
The operational resilience rules under the broader policy framework (SS1/21, which PS24/16 builds on) had a March 2025 deadline for firms to demonstrate they could remain within their impact tolerances for Important Business Services. Firms that haven’t completed this work are already behind the primary deadline.
For the specific PS24/16 requirements on third-party and technology risk, the FCA set an implementation date of March 2025 for the new rules to come into force, with an expectation that firms will be working toward full compliance through 2025 and into 2026. The FCA has been clear that they expect to see evidence of progress – not just documented plans – during supervisory visits.
For Edinburgh firms in the smaller firm category (solo advisers, small IFA practices, boutique wealth managers), the FCA’s proportionality principle applies: requirements scale with the size, nature, and complexity of your business. However, proportionality doesn’t mean exemption. A solo IFA using Intelliflo and Microsoft 365 still needs to demonstrate they’ve assessed their cloud dependencies and have appropriate controls.
What Edinburgh IFAs and Wealth Managers Need to Do
Translating PS24/16’s requirements into practical steps for Edinburgh’s financial services community requires cutting through the regulatory language. Here’s what the work actually looks like.
Step 1 – Cloud inventory and classification. Document every cloud service you use. This includes obvious items (Microsoft 365, your CRM, your financial planning software) and less obvious ones (cloud-based email filtering, backup services, video conferencing). For each service, classify it by whether it supports an Important Business Service. If your CRM goes down, can you still service clients? If your financial planning tool is unavailable, what’s the impact on client advice delivery?
Step 2 – Supplier due diligence. For each material cloud service, review the provider’s security documentation. Most major cloud providers publish SOC 2 Type II reports, ISO 27001 certificates, and penetration testing summaries. Download these documents and retain them. Review the contractual terms against the FCA’s contractual requirements for outsourcing arrangements. If your contract is a standard consumer-grade agreement, you likely need an upgrade to a business or enterprise tier with appropriate terms.
Step 3 – Security configuration review. PS24/16 doesn’t just require that you use cloud services – it requires that you use them securely. For Microsoft 365, this means reviewing your tenant security settings: MFA enforcement, conditional access policies, data loss prevention rules, audit logging retention. Many Edinburgh firms have Microsoft 365 configured to default settings rather than FCA-appropriate security baselines. A gap exists between “we have Microsoft 365” and “we have Microsoft 365 configured to meet FCA security expectations.”
Step 4 – Incident response planning. PS24/16 requires that firms have incident response plans that cover technology and cloud-related incidents. The plan needs to address detection, containment, notification (to the FCA and affected clients), and recovery. This plan should be tested – the FCA expects tabletop exercises, not just documented procedures that have never been rehearsed.
Step 5 – Business continuity for cloud failures. If your primary cloud provider suffers an outage, what happens? For Edinburgh wealth managers, client meetings, investment reporting, and trade execution may all depend on cloud availability. Your BCP needs to address cloud provider failure scenarios specifically, not just office-based disruptions.
Practical Compliance Steps: A Prioritised Approach
For a small Edinburgh IFA or wealth management firm with limited IT resources, tackling PS24/16 compliance in parallel with client service delivery is a real challenge. A prioritised approach makes the workload manageable.
Priority 1 (do this month): Complete your cloud service inventory. This takes a few hours and is the foundation for everything else. You can’t manage risks you haven’t identified. Use a simple spreadsheet: service name, provider, what business function it supports, whether it holds client data, current contract expiry date.
Priority 2 (do this quarter): Review and document your Microsoft 365 security configuration. This is highest priority because M365 is almost certainly your most critical cloud dependency and the one with the most configurable security controls. Engage your IT provider or MSP to produce a security configuration report against the NCSC’s M365 hardening guidance.
Priority 3 (do this half-year): Review your key supplier contracts. Check whether your CRM, financial planning software, and backup provider agreements include appropriate security and business continuity provisions. Where they don’t, request amended terms or escalate to a business-grade agreement.
Priority 4 (ongoing): Implement a formal process for reviewing cloud security at least annually. This doesn’t need to be complex – a documented annual review of your cloud inventory, security configurations, and supplier certifications satisfies the FCA’s expectation of ongoing oversight.
For Edinburgh firms subject to both FCA obligations and GDPR (which includes any firm handling client personal data), cloud security overlaps directly with your GDPR data protection obligations. Addressing PS24/16 compliance in isolation from your data protection framework misses an opportunity to consolidate effort. Your cloud service inventory serves both purposes; your supplier due diligence covers both FCA and ICO expectations.
The FCA has signalled that supervisory attention on operational resilience and third-party risk will intensify through 2025 and 2026. Edinburgh firms who can demonstrate a documented, proportionate compliance programme – even if not yet fully complete – are in a significantly better position than those who haven’t started. The FCA’s supervisory approach is risk-based; showing you understand your obligations and are actively managing them matters.
Quick Comparison
| Security Control | Cost | Breach Prevention Impact | Priority |
|---|---|---|---|
| MFA on all accounts | Free (M365) | Blocks 99.9% of credential attacks | Critical |
| Email filtering + SPF/DKIM | Included in M365 | Reduces phishing by 70% | Critical |
| Endpoint detection (EDR) | From $5/user/month | Detects lateral movement | High |
| Staff security training | From $3/user/month | Reduces click-through by 65% | High |
Frequently Asked Questions
Which Edinburgh firms are subject to FCA PS24/16?
PS24/16 applies to all FCA-regulated firms including IFAs, wealth managers, stockbrokers, mortgage brokers, insurance intermediaries, and consumer credit firms. FCA-authorised law firms holding client money under FCA authorisation are also in scope. Firms regulated solely by the Solicitors Regulation Authority are not directly subject to PS24/16.
What counts as an Important Business Service under PS24/16?
An IBS is any service provided to external parties – clients, counterparties, or markets – where disruption could cause intolerable harm or market integrity issues. For most Edinburgh IFAs and wealth managers, investment advice delivery, portfolio management, and client money processing are Important Business Services. The FCA expects firms to identify their own IBS based on their specific authorised activities.
Do cloud provider outages count as PS24/16 events?
A cloud provider outage that causes a firm to breach its impact tolerance is a PS24/16 event that must be managed and documented. The FCA does not expect firms to prevent third-party outages – but firms must have arrangements to identify when a tolerance is breached, respond according to a documented plan, and report significant impacts.
How does PS24/16 interact with UK GDPR for cloud services?
PS24/16 and UK GDPR create overlapping cloud security obligations. UK GDPR Article 32 requires appropriate technical measures to protect personal data. PS24/16 requires firms to maintain access to systems containing that data within defined tolerances. A cloud incident may simultaneously trigger UK GDPR breach reporting (72-hour ICO notification) and PS24/16 tolerance breach documentation requirements.
When should we start our PS24/16 cloud compliance programme?
PS24/16 came into effect 31 March 2025. If you haven’t started mapping your Important Business Services and cloud dependencies, begin immediately. The FCA has been conducting supervisory reviews of medium-sized regulated firms since Q4 2025. Priority actions: IBS mapping, shadow IT discovery, and impact tolerance documentation.
What Is Start With a Cloud Security Assessment?
FCA supervisory guidance (2025) reports that PS24/16 compliance starts with knowing your cloud footprint. Virtually Pro’s cloud security assessment for Edinburgh financial firms includes IBS mapping guidance, shadow IT discovery, and a findings report structured to meet FCA supervisory expectations.
Cloud Security Assessment Edinburgh
FCA cyber security requirements
Further Reading
Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.