Insights from the 2021 Cyber Coordination Groups

Research insights Published: 08/12/2022 Last updated: 01/02/2023 See all updates

This publication provides an overview of insights arising from the discussions held at the FCA’s quarterly Cyber Coordination Group (CCG) meetings throughout 2021.


This publication is split into 3 sections: the first highlights the cyber risk landscape, as well as emerging cyber risks discussed at the CCGs in 2021. This is followed by 2 focus topics in which we summarise members’ insights on board engagement with cyber security and the state of DevSecOps. The focus topics are agreed prior to each forum by the industry and FCA co-chairs.

Background to the Cyber Coordination Groups

Since the CCG programme was launched in 2017, the CCGs have brought together cyber security and technology risk leaders from industry in shared forums and connected them with multiple authorities responsible for cyber resilience across the financial sector, to discuss key topics in a secure environment.

The member firms were joined by representatives from UK financial authorities and UK Government agencies (the Authorities) including the Treasury, the FCA, the Bank of England, the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

The CCG forums are held on a quarterly basis with the aim to help firms share knowledge, challenges and good practices for protecting the financial sector from cyber threats. They also promote engagement between the financial sector and the Authorities.

In 2021, we held 30 forums and brought together 152 firms across 7 CCGs, with each CCG representing a specific sub-sector. These sub-sectors were Insurance, Investment Management, Fund Management, Retail Banking and Payments Firms, Retail Investments and Lending, Brokers/Principal Trading Firms and Trading Venues/Benchmark Administration Firms.

The FCA also supports the Trade Association Cyber Information Group (TACIG) forum which brings together leading Financial Sector Trade Association bodies, to maximise information sharing relevant to the financial sector.

This is our fourth annual CCG insights publication. As with previous years, it draws on the knowledge shared from the past year’s CCG discussions, with the aim of sharing information and good practices to the wider financial sector. The insights cover broad cyber risks that span sector priorities as well as the key themes that were discussed in depth by some or all the CCGs.

The key insights discussed in this publication include:

  1. Malicious cyber actors targeting internet-facing systems such as email servers and virtual private networks (VPNs) with newly disclosed vulnerabilities, ransomware attacks using Remote Desktop Protocols (RDP) and unpatched devices, denial of service attacks, and inadequate supply chain oversight leading to supply chain compromise. 
  2. The coronavirus (Covid-19) pandemic continued to impact the sector in 2021, with the challenges posed by remote and hybrid ways of working.
  3. Emerging trends in cyber security risks, include supply chain compromise and exploit of zero-day vulnerabilities.
  4. The importance of board engagement in setting the organisational cyber risk appetite. This also extends to board support in measuring the effectiveness of cyber security postures, and board assurance that supply chain partners effectively protect the information shared with them. 
  5. Several common good practices can be used for implementing security in the early stages of the software development cycle (also known as DevSecOps). This includes empowering rather than mandating security practices and giving access to security tools to the development teams. 

This publication is not FCA guidance on rules under section 139A of the Financial Services and Markets Act 2000. It does not set out FCA expectations for systems and controls that firms should have in place to comply with our regulatory requirements.

All insights have been shared by one or more firms within the CCGs, and much of the discussion supports existing guidance from the NCSC.

Section 2: Board engagement on cyber security

CCG members noted that awareness of cyber security has significantly increased over the last 5 to 10 years due to an increase in cyber-enabled crime, more detrimental breaches and stricter legislation. Cyber security has become a standing agenda at many board meetings and cyber metrics are becoming increasingly popular with board members as a way to evaluate cyber risk.

Members noted that one of the biggest challenges that many face is having multiple boards and committees, all with different levels of knowledge and understanding, as well as interest, in cyber security. The challenge of creating consistent understanding of cyber issues is complex.

Cyber risk appetite was discussed between members, primarily focusing on the measurement of risks and how this is portrayed to boards. Members noted there was a need for increased technical understanding within boards to minimise the need to translate technical into nontechnical language.

General good practice

  • Strategies for increasing board engagement identified by members included translation of cyber risks into business risks, having frequent communication and regular reporting with the board and relaying consistent messages to boards when briefing on cyber risk.  Boards can find cyber risk metrics which relate cyber security posture to cyber maturity to be effective management intelligence (MI), especially if split across key business areas. 
  • Another effective tool to promote board engagement is to run spear-phishing campaigns on board members and cyber tabletop exercises
  • Some members shared that the use of the NCSC Board Toolkit has been useful in educating the board on cyber risk and has also been useful to gain consistent view of risk across organisation’s group structures. Members also noted that discussions around cyber with peers drive board engagement. Other effective tools for board engagement included presentations on current threat landscape via external CISOs sharing their experiences and challenges and focused briefings on effective cyber strategies. 
  • Boards currently have a large focus on cyber issues regarding supply chain. This is due to the high number of supply chain cyber incidents and the large amount of recent publicity these have created. Members stated that they were being increasingly challenged by Board members on this topic following events such as Solarwinds.

Section 3: Development, security, and operations (DevSecOps)

CCG members discussed secure software development principles and the level of maturity of DevSecOps in their organisations and sub-sectors. 

DevSecOps is a trending practice in application security that involves introducing security earlier in the software development life cycle (SDLC). It also expands the collaboration between development and operations teams building on automation and platform design that integrates security as a shared responsibility throughout the entire SDLC.

The discussions covered the following themes:

  • Governance and policy: Ensuring that the process and decision-making framework surrounding DevOps is explainable and robust. Creating transparent cybersecurity policies and procedures that are easy for developers and other team members to understand and implement in agile environments will also help. 
  • Automation and monitoring: Scaling security controls while aligning to the pace of DevOps processes by using automated security tools for code analysis, configuration management, patching and vulnerability management. 
  • Securing development environments: Providing engineers with environments that suit their needs and the need of the business while also promoting security practices and protecting the software supply chain. Access and secret management.
  • Implementing DevSecOps and Culture: Developing the right culture to enable cross-functional teams and shared responsibility for information security. Looking at the key barriers to adoption and how members have managed them.

Some examples of DevSecOps practices include scanning repositories for security vulnerabilities, early threat modelling, security design reviews, static code and dynamic code reviews:

  • Vulnerability scanning, in particular open source vulnerability scanning for software which may have been created without good security practice analyses open source components, libraries and dependencies in source code. 
  • In a DevSecOps process, security risk analysis can be used during the planning stage to identify which components are most secure or free from vulnerabilities that would put the project at risk. Then, vulnerability scans occur at multiple stages of the development and build processes to ensure no new vulnerabilities are introduced after the initial planning stage.  
  • Early threat modelling is the approach of evaluating and mitigating application security risk by analysing the business environment where the application will be deployed and setting out how potential weaknesses might be exploited. The aim to enable teams to quickly make data-driven and proactive decisions to minimise security risk exposure. 
  • There are many tools available eg visual dashboards and solutions that use data to automatically build threat models.  
  • Static code reviews allow developers to scan the source code for weak or insecure code, quantifying the vulnerability and prioritising remediation. The level of severity will prevent a component moving to the next stage of the development.
  • Dynamic code review can be performed by automated applications, testing a variety of threats without the need to access the development source code.

Members spoke very positively about the benefits of DevOps for security, particularly the concepts of automation, self-service and software as code. Mature DevSecOps automation involves providing developers with self-service security tools that remediate identified vulnerabilities without the need to directly interact with security staff.

Examples discussed included:

  • reduction of manual effort and consequently reduction of mistakes when spinning up consistently defined builds
  • having security configuration applied immediately and consistently through coded pipelines, as this allows for the automation of the build, test, and deploy phases of the release process every time there is a code change, based on the release model defined by the developer
  • the ability to pro-actively define security patterns for use in cloud deployments

The major challenge in implementing a DevSecOps culture is that the information security teams are often not integrated with the development and technology teams. In some cases development is done in data science units or outsourced to third parties.

Members noted that it can be a slow process to implement DevSecOps at an established firm. One solution is the use of agile sprints for projects, but it was noted challenges persist using this methodology, especially for larger projects. It was suggested that waterfall methodology can be more effective for more strategic projects.

General good practice

  • A cultural shift to allow accountability for security to be shared across an organisation is crucial for DevSecOps to be used effectively. The empowerment of development teams to make security decisions and the integration of security expertise into development teams were noted as good strategies for moving towards DevSecOps.
  • It was also noted that giving developers access to security tools to use themselves can be an effective strategy to both upskill developers, and to create faster security feedback loops.
  • An ideal practice is for software code developers is to begin contributing to the security standards of code, rather than these being mandated by security teams. Secure coding standards are sets of rules and guidelines used by an organisation to reduce security vulnerabilities and errors during development.

We thank all members of the Cyber Coordination Groups that have contributed to the discussions and whose insights are reflected in this publication.

Page updates

: Editorial amendment Category update to Research - as part of website refresh