This publication summarises discussions held throughout 2024 with industry members of the FCA’s Cyber Coordination Group (CCG) programme.
We are sharing the cyber resilience insights members raised, which focused on 3 key topics:
- The reconnection framework and third-party management.
- Threat and vulnerability management and threat-led penetration testing.
- AI and other emerging technologies, including quantum computing.
The FCA CCG programme brings together 139 firms as CCG members who have contributed their insights into these key topics. We have included insights from both members’ positive and more challenging experiences of the issues within their firms.
This publication does not introduce any additional regulatory expectations. We are making these insights widely available so that firms can consider them, within the context of our existing expectations, to learn from other firms and to help strengthen their cyber resilience capabilities.
Who this publication applies to
- Cyber resilience leaders.
- Operational resilience leaders.
- Operational risk professionals.
- Internal audit professionals.
- Cyber resilience specialists.
Insights summary
The following are likely to be of particular interest to firms:
- Threat-led penetration testing is an extremely effective tool for identifying previously-unknown cyber vulnerabilities.
- The threat from combined non-critical vulnerabilities can potentially cause as much or more harm than a single critical vulnerability.
- Legacy technologies, especially end-of-life systems, should have effective security risk management, as with any other system.
- Cross-industry information sharing forums, such as Cross Market Operational Resilience Group (CMORG) or the Financial Services Information Sharing and Analysis Centre (FS-ISAC), can be highly effective in enabling collective communication with third-party suppliers during significant outages.
- Implementing AI into cyber domains without taking steps to fully understand all potential impacts can lead to increased exposure to new or unidentified risks.
Discussion topic 1: Reconnection and third-party incident management.
Members discussed their views and experiences of the Cross Market Operational Resilience Group Reconnection Framework, which they use to help manage incidents with third-parties including subsequent system reconnections with third parties following a cyber incident.
Insights from CCG members’ experiences
- Participating in cross-industry information sharing forums such as CMORG or FS-ISAC helps enable effective collective communication with third-party suppliers during significant outages. It can reduce duplication of effort and streamline messages to and from third-party suppliers.
- CCG members noted that the CMORG reconnection framework can be a highly effective tool for guiding firms’ decisions on reconnecting with third-parties who have suffered an operational disruption. Firms found the guidance on Post Incident Reports (PIRs), root-cause analyses and attestation certificates particularly valuable.
- Maintaining appropriate incident response and recovery plans that include third parties can enable firms to respond faster and more effectively during a disruption. This minimises the impact on consumers and businesses.
- Including third-party outage scenarios into incident response testing can help firms understand how to operate temporarily without access to key third-party services.
- Engaging senior leadership with testing incident response plans involving third parties can help build awareness of the reconnection framework. It can also reinforce key messaging about investing in cyber resilience.
Insights from CCG members’ challenges
- Firms increasingly rely on third-party suppliers in delivering their Important Business Services and ensuring that Impact Tolerances are not breached. However, different resiliency practices and requirements across jurisdictions can cause recovery times to become misaligned without effective mapping.
- Having discussions with third parties is important to understand their cyber and operational resilience capabilities. However, some third parties do not always report cyber and resilience capabilities to firms as expected.
- Some suppliers can be difficult to replace if their cyber security capabilities become weak or if they have other commitments. The difficulties range from unique third-party services to exclusivity of services or contractual commitments, making immediate manual workarounds difficult.
- Relying on third parties with lower cyber resilience standards than firms require can affect firms’ overall cyber resilience and weaken their ability to respond or recover from disruption.
Discussion topic 2: Threat and vulnerability management and threat-led penetration testing.
Members discussed their experiences of implementing threat and vulnerability management programmes. These programmes enable firms to identify and understand threats to their cyber resilience and provide an approach to reducing risk from known vulnerabilities.
Insights from CCG members’ experiences
- Threat-led penetration testing is an extremely effective tool for identifying previously unknown cyber vulnerabilities, particularly when using external penetration testing providers to supplement internal red teams.
- Using established threat-led penetration testing frameworks, such as CBEST and Simulated Targeted Attack and Response for Financial Services (STAR-FS) were likely to identify vulnerabilities, as well as gaps in cyber resilience hygiene.
- Adopting a collaborative approach to penetration testing, known as purple teaming, means firms can significantly improve their capabilities to detect potential cyber-attacks.
- Regulatory publications on cyber resilience, particularly the annual CBEST thematic, are a helpful supplement to vulnerability identification programmes, as they can highlight common weaknesses firms can learn from.
- Patching vulnerabilities effectively requires testing ahead of rolling out patches to avoid unforeseen impacts which can lead to rollbacks.
- Appropriate initial categorising, as well as ongoing category management, of identified vulnerabilities is fundamental to effective cyber resilience. Immediate categorisation of zero-day vulnerabilities as the highest level of risk has been important. However, inappropriate over-categorisation of vulnerabilities can lead to resource burnout.
- Responding to new critical vulnerabilities in a similar way to responding to critical incidents, eg ‘war rooming’, can lead to more timely remediation. In particular, this approach encourages and maintains clearer individual roles and responsibilities.
Insights from CCG members’ challenges
- Combined non-critical vulnerabilities can potentially cause as much or more harm than a single critical vulnerability. While critical vulnerabilities are a clear priority for remediation, firms should not underestimate the impact of combined or cumulative vulnerabilities.
- Legacy technologies, especially end of life systems, should have the same effective security risk management as any other system. However, there can be significant challenges to securing legacy compared to contemporary systems, often relating to higher costs and resource requirements.
- Maintaining effective threat and vulnerability management requires technical capabilities, as well as project management and stakeholder engagement skills. However, these capabilities can be difficult to recruit and retain long term.
- Gamifying vulnerability identification can help maintain secure cultures, such as via bug bounty programmes or remediation efforts being linked to risk remediation.
- Maintaining effective vulnerability remediation programmes can be challenging to sustain long term. In particular, prolonged out-of-hours work by teams responsible for implementing technical remediation of vulnerabilities can be difficult to maintain to a high standard.
Discussion topic 3: Artificial Intelligence (AI) and emerging technologies
CCG members discussed their experiences of implementing artificial intelligence (AI) into their cyber resilience strategies, including to improve controls. They discussed data integrity, planning and awareness and information security as well as challenges faced when developing AI models.
Insights from CCG members’ experiences:
- AI can be useful in automating quality assurance processes. This includes checking password policy compliance and credentials management as well as whether sensitive data is being inappropriately stored.
- Using AI in cyber defence processes can result in significant automation improvements to cyber controls, such as threat intelligence analysis, anti-virus management and risk analysis.
Internal AI governance fora help ensure safe and controlled AI implementation into cyber controls. - Recognised bodies and authorities provide helpful sources of guidance on AI implementation. Members mentioned the Department for Science, Innovation and Technology, The National Institute of Standards and technology, and the National Cyber Security Centre. Industry working groups such as the CMORG AI taskforce are also looking to publish guidance on AI implementation.
- Recent FCA initiatives on AI provide firms with more information, including the FCA AI update, which sets out how key elements of the FCA’s regulatory frameworks apply to firms’ use of AI, as well as the AI Lab, the AI Sprint and the AI Live Testing service proposal. Staff training can ensure that AI usage remains within acceptable parameters.
Insights from CCG members’ challenges:
- Implementing AI functionality into cyber domains without taking steps to fully understand all potential impacts can lead to increased exposure to new or unidentified risks.
- Training staff to securely use AI can be difficult due to AI plugins that can ignore data-loss prevention protocols.
- Identifying where service suppliers are embedding AI into their products can be difficult. However, it is important so that firms can fully understand and control AI integration into their systems and processes.
- Defending against cyber-attacks targeting AI can be challenging but is critical to avoid poisoning large language models that in turn damage the integrity of information.
Background to the FCA CCG Programme
The FCA has run the CCG programme since 2017. It currently has 139 member firms within 5 groups that are each aligned to a sector. These are:
- Insurance.
- Wholesale banking.
- Retail banking.
- Investment and asset management.
- Payments, platforms and trading venues.
The FCA CCG programme also includes an additional group, the Trade Associations Cyber Information Group (TACIG) that includes members from finance sector trade associations.
The CCGs bring together industry cyber resilience and information security leaders so they can exchange insights and learn from each other. Within the CCGs, members may also meet with representatives from the Bank of England, the Prudential Regulation Authority and the National Cyber Security Centre.
The CCGs are held on a quarterly basis and promote engagement across the financial services sector.
We would like to thank CCG members for continuing to contribute their cyber resilience insights.
Glossary
| Term | Definition |
| Red Team | A group of authorised security testers who emulate a potential threat actor’s tactics and techniques on an organisation’s cyber security defences in order to identify potential vulnerabilities. |
| Vulnerability | A weakness or flaw in a system, software, or network that may be exploitable by attackers to gain unauthorised access and/or cause harm. |
| Legacy technology | Outdated or obsolete hardware or software, that is still in use by an organisation despite being unsupported by the original vendor, often meaning it is insecure. |
| Threat-led penetration testing | A form of penetration testing in which testers use threat intelligence about an organisation in order to refine and deliver their penetration testing. |
| Zero-day vulnerability | A vulnerability in software or hardware that is unknown to the vendors or developers at the time of discovery. |
| Large Language Model (LLM) | A type of Artificial Intelligence (AI) system that is trained on large amounts of data to comprehend and generate human text. |