Financial Conduct Authority publishes Cyber Coordination Group cyber resilience insights on third-party reconnection, threat-led testing and AI risks

The Financial Conduct Authority has published a summary of 2024 discussions with members of its Cyber Coordination Group programme, sharing practical cyber resilience insights across third-party incident reconnection, threat and vulnerability management, and AI and other emerging technologies including quantum computing. The FCA stresses that the publication does not create new regulatory expectations and is intended to help firms learn from peers within the context of existing requirements. The note draws on experiences from 139 member firms across five sector groups and highlights, among other points, the effectiveness of threat-led penetration testing and the need to manage cumulative risk from multiple non-critical vulnerabilities, as well as security risk management for legacy and end-of-life systems. On third-party incident management, it points to the value of cross-industry forums such as the Cross Market Operational Resilience Group and the Financial Services Information Sharing and Analysis Centre for coordinated supplier communication during major outages, and describes firms’ use of the Cross Market Operational Resilience Group reconnection framework, including post-incident reports, root-cause analysis and attestations. It also captures challenges including misaligned recovery expectations across jurisdictions, limited third-party transparency on resilience capabilities, difficulty replacing key suppliers, and the impact of weaker supplier controls on firms’ overall resilience. On AI, members reported benefits from automation in cyber controls and the role of internal governance forums, while flagging risks from deploying AI without understanding impacts, difficulties training staff to use AI securely, limited visibility into suppliers’ embedded AI, and threats targeting AI models.