“Under Principle 11,you must report material cyber incidents.”
You may consider an incident material if:
- it results in significant loss of data, or the availability or control of your IT systems
- it impacts a large number of victims
- it results in unauthorised access to, or malicious software present on, your information and communication systems
Source: Cyber resilience | FCA