FCA shares cyber resilience insights from 2024 industry discussions

The FCA has published a summary of discussions held throughout 2024 with industry members of its Cyber Coordination Group (CCG) programme, offering valuable insights for regulated firms navigating the cyber threat landscape. The insights centre on three key topics: third-party management, threat and vulnerability management, and implementing AI into cyber resilience strategies. Here, we explore some of the standout points for firms.

Third-party management

The FCA highlights a growing reliance on third-party suppliers to deliver firms' ‘important business services’—those which, under the UK's operational resilience framework, could cause intolerable harm to consumers or risk to market integrity if disrupted. However, in a nod to the global nature of supply chains, it is observed that different resiliency practices and requirements across jurisdictions can cause recovery times to become misaligned without effective mapping.

Further challenges highlighted by the FCA include that some third parties do not always report cyber and resilience capabilities to firms as expected, and that some suppliers can be difficult to replace if their cyber security capabilities become weak or if they have other commitments. In both cases, we flag that the UK's introduction of a new oversight regime for critical third parties to the UK financial sector may help firms manage these risks (see more here).

Threat and vulnerability management

Members' experiences of implementing threat and vulnerability management programmes threw up some useful practice points for firms to pay attention to, as follows:

• appropriate initial categorising, as well as ongoing category management, of identified vulnerabilities is fundamental to effective cyber resilience, where inappropriate over-categorisation of vulnerabilities can lead to resource burnout;
• responding to new critical vulnerabilities in a similar way to responding to critical incidents, e.g. ‘war rooming’, can lead to more timely remediation; and
• combined non-critical vulnerabilities can potentially cause as much or more harm than a single critical vulnerability. While critical vulnerabilities are a clear priority for remediation, firms should not underestimate the impact of combined or cumulative vulnerabilities.

Also of interest, the FCA emphasises that legacy technologies, especially end of life systems, should have the same effective security risk management as any other system. However, there can be significant challenges to securing legacy compared to contemporary systems, often relating to higher costs and resource requirements.

AI and cyber resilience 

Finally, CCG members discussed their experiences of implementing AI into their cyber resilience strategies. Members reflected that that using AI in cyber defence processes can result in significant automation improvements to cyber controls, such as threat intelligence analysis, anti-virus management and risk analysis. Several challenges were noted, however, including that:

• training staff to securely use AI can be difficult due to AI plugins that can ignore data-loss prevention protocols;
• identifying where service suppliers are embedding AI into their products can be difficult. However, it is important so that firms can fully understand and control AI integration into their systems and processes; and
• defending against cyber-attacks targeting AI can be challenging, but is critical to avoid poisoning large language models that in turn damage the integrity of information.

To conclude, while these insights do not introduce any additional regulatory expectations, the FCA encourages firm to reflect on them to help strengthen their cyber resilience capabilities. As the threat landscape continues to evolve, these insights offer a timely opportunity for firms to review and sharpen their cyber resilience strategies.