COBS 20.14.2

(1) A Third Party Provider must notify the Regulator without undue delay if it becomes aware of a major operational or security incident.

(2) A notification under (1) must be in such form and manner, and contain such information, as the Regulator may direct.

(3) The Third Party Provider must inform its Customers without undue delay of the incident and the measures that it will take to mitigate the incident if the incident has or may have an impact on the financial interests of its Customers.