The FCA’s Cyber Coordination Group (“CCG”) Insights 2024 shine a spotlight on the current state of cyber resilience across the financial sector. Rather than introducing new regulation, the FCA has summarised the experiences of 139 firms, identifying effective practices, ongoing challenges, and areas requiring improvement.
This article outlines the key themes from the CCG report, focusing on:
- Reconnection and third-party management;
- Threat and vulnerability management; and
- Artificial intelligence (“AI”) with emerging technologies.
These insights aim to help firms enhance their cyber resilience within the framework of existing regulatory expectations. The intended audience includes cyber and operational resilience leaders, risk professionals, and internal audit teams.
- Reconnection and Third-Party Incident Management
What’s Working:
The Cross Market Operational Resilience Group (“CMORG”) Reconnection Framework helps firms effectively manage third-party incidents and restore systems after disruptions. Industry forums like CMORG and FS-ISAC play a key role in improving supplier communication and reducing duplicated efforts. Supporting materials, such as Post-Incident Reports, root-cause analyses and attestation certificates, provide a strong foundation for making reconnection decisions. Regular scenario testing and active involvement from senior leadership further enhance a firm’s preparedness.
What’s Challenging:
Firms face difficulties due to inconsistent recovery time objectives across different jurisdictions, which makes coordination more complex. In addition, some third-party suppliers are not transparent in their resilience reporting, making it harder for firms to assess risk. Replacing underperforming suppliers is often challenging, especially when services are highly customised or tied to strict contracts. Over-reliance on weaker third parties ultimately undermine a firm’s overall cyber resilience.
Regulatory Expectation:
Under the FCA’s Operational Resilience framework (see FCA Handbook SYSC 15A), regulated firms must ensure that third-party arrangements support their ability to remain within impact tolerances. This includes robust contractual arrangements and regular testing of third-party resilience.
Key Takeaway:
Resilience must be embedded contractually, tested regularly, and reflected in day-to-day operations. Annual audits alone are not sufficient, firms must stress test third parties and develop contingency plans for supplier failure.
- Threat and Vulnerability Management
What’s Working:
Threat-led penetration testing, like CBEST and STAR-FS, helps uncover vulnerabilities, especially when combined with support from external experts and “purple teaming” strategies. CBEST thematic reports highlight common weaknesses across the sector. Properly categorising vulnerabilities helps firms prioritise critical risks such as zero-day threats. “War room” approaches accelerate remediation, and programmes like bug bounties help foster a strong internal security culture.
What’s Challenging:
Minor vulnerabilities, if left unchecked, can accumulate and become just as dangerous as a single critical issue, but they’re often overlooked. Updating legacy systems is expensive and labour-intensive. Maintaining remediation programmes also requires niche technical skills, and long hours may lead to staff burnout. Misclassifying vulnerabilities can waste resources and delay meaningful fixes.
Regulatory Expectation:
CBEST and other TLPT frameworks align with expectations set out in the Bank of England, PRA and FCA’s CBEST Intelligence-Led Testing framework. These are particularly relevant for firms designated as important participants in the financial sector’s critical infrastructure.
Key Takeaway:
Vulnerability management needs to be strategic, not reactive. Rather than patching issues one by one, firms should adopt a broader framework that considers the compounding nature of smaller, systemic risks.
- AI and Emerging Technologies
What’s Working:
Firms are using AI to automate threat intelligence, antivirus tools, and compliance checks. Internal governance forums are helping to ensure AI is deployed responsibly. Guidance from the National Cyber Security Centre and the FCA’s AI Lab supports secure adoption. Industry groups like CMORG’s AI taskforce offer additional direction, and training programmes help staff use AI securely.
What’s Challenging:
AI tools that aren’t properly vetted can introduce new vulnerabilities. Some AI plugins can bypass data loss prevention systems. It’s also hard to detect whether suppliers are embedding AI into their products. New threats like AI model poisoning highlight the need to protect data integrity throughout the supply chain.
Regulatory Expectation:
While AI-specific regulations are still emerging in the UK, firms must ensure that AI adoption aligns with broader governance expectations under SYSC 13.7 (Systems and Controls – Operational Risk), as well as the Digital Operational Resilience Act (“DORA”), where applicable.
Key Takeaway:
The challenge lies in balance, harnessing AI’s potential while ensuring its adoption does not open new vulnerabilities. This requires the deployment of robust governance frameworks, including clear vendor oversight and training for staff to spot and mitigate AI-driven risks.
Conclusion
The FCA’s CCG programme continues to foster cross-industry collaboration and knowledge sharing. The Insights 2024 report reinforces the need for proactive threat-led penetration testing, robust third-party incident management, and thoughtful integration of AI technologies. By addressing persistent challenges, such as supplier resilience and legacy system security, firms can better align with regulatory expectations for operational and cyber resilience.
How Complyport Can Help
Firms must act now to evaluate their cyber resilience practices, systems, governance and preparedness to ensure robust protection against evolving threats.
Our experienced team continuously monitors the cyber resilience regulatory landscape and supports clients in achieving the highest standards of cyber security and operational resilience. Our operational resilience and cybersecurity services offering includes
- Operational Resilience Frameworks: Supporting firms in implementing the FCA’s PS21/3 requirements and building resilience strategies that meet regulatory expectations;
- IT and Cybersecurity Audits: Conducting comprehensive assessments to identify vulnerabilities and enhance overall IT governance;
- REP018 Reporting Support: Assisting with the completion and submission of the FCA’s Operational and Security Risk Report;
- SOC 2 Readiness Assessments: Preparing firms for successful SOC 2 audits by evaluating and strengthening internal controls;
- DORA Compliance Support: Helping firms understand and meet the requirements of the Digital Operational Resilience Act;
- Supplier Resilience Reviews: Assessing third-party dependencies, reviewing contracts and testing substitution strategies;
- Threat-Led Testing Support: Helping firms prepare for CBEST and other penetration test frameworks, ensuring vulnerabilities are identified and managed effectively;
- Vulnerability Management Frameworks: Designing processes that capture the cumulative effect of smaller weaknesses and integrate intelligence-led prioritisation;
- AI Risk and Governance: Advising on policies and controls for AI adoption, vendor oversight, and defensive measures against emerging AI-related threats; and
- Board and Senior Management Briefings: Translating complex cyber risk themes into actionable insights for leadership teams, supporting informed decision-making.
Book a meeting with a Subject Matter Expert: Our cybersecurity services are designed to fortify your digital borders, safeguarding your sensitive data from evolving cyber threats. Complyport’s team of experts collaborates with your organisation, crafting tailored strategies that bolster your operational resilience, improve your IT governance and strengthen your cyber defences.
Further to the services mentioned above, we also offer remedies, including technical cybersecurity support. Our team helps fix vulnerabilities and enhance security measures, ensuring your organisation stays protected.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
