UK FCA cyber coordination group insights 2025

The UK Financial Conduct Authority (FCA) has published a new webpage summarising discussions held with members of its cyber coordination group (CCG) on good and poor practice in cyber resilience. The FCA focuses on three areas: incident response and recovery; implications on emerging technologies (including AI and post‑quantum cryptography (PQC)); and insider risk management. The FCA notes that the insights do not introduce new regulatory expectations but are intended to help firms assess and strengthen their cyber resilience in line with existing expectations and operational resilience requirements.

On incident response and recovery, CCG members highlighted the importance of comprehensive service mapping of key personnel, technology assets and third-party services to strengthen response capabilities, the use of severe but plausible scenarios to test recovery at scale, and early and sustained senior management involvement in testing and response exercises. Many members also reported benefits from subscribing to the National Cyber Security Centre's early warning service. Key challenges include difficulty in mapping in complex organisations and technology environments, limited relationships with the board hindering early senior management involvement, and difficulties engaging with third parties where contractual requirements are limited or there's no shared history of expectations.

In relation to emerging technologies, firms reported integrating AI‑related risks into existing governance frameworks, adopting risk‑based approaches to prepare for PQC, and improving cryptographic hygiene. Members are also enhancing staff awareness on how emerging technologies, like PQC and AI, may affect operational resilience through the development of role-specific technology literacy programmes. Key challenges include limited visibility over third‑party use of AI, increased use of AI by threat actors to enhance cyber-attacks and difficulties securing sustained senior buy‑in for longer‑term technology risks.

On insider risk, members emphasised the need for joined‑up, enterprise‑wide approaches across functions, effective configuration of detection and access management controls, and creating a culture of security and trust with senior management-supported messaging on insider risk. Common challenges include privacy and employment law constraints on a firm's user activity monitoring, high volume of activity alerts, limited use cases of AI tools and observing that the scope of insider risk is not always well defined.

Return to main website.