FCA Cyber Resilience Insights: Lessons from 2024 Industry Discussions

The Financial Conduct Authority (FCA) has published a summary of its 2024 discussions with industry members of the Cyber Coordination Group (CCG), providing practical insights into how firms are managing the evolving cyber threat landscape. The discussions focused on three key themes: third-party management, threat and vulnerability management, and the integration of AI into cyber resilience strategies.

For regulated firms, these insights are not new rules, but they do serve as a timely benchmark to evaluate whether existing resilience practices are robust enough in the face of growing cyber risk.

Third-Party Management

The FCA highlights the industry’s increasing reliance on third parties to deliver “important business services” – those where disruption could cause intolerable harm to consumers or market integrity under the UK’s operational resilience framework.

Key challenges include:

• Jurisdictional misalignment: Supply chains are global, but recovery practices vary across countries, making resilience mapping critical to avoid misaligned recovery times.

• Transparency gaps: Some suppliers are not providing firms with adequate reporting on cyber and resilience capabilities.

• Supplier substitution risks: In certain cases, firms find it difficult to replace suppliers with weak cyber capabilities due to commercial or contractual constraints.

The FCA flags that the UK’s new oversight regime for critical third parties (CTPs) will soon provide firms with additional tools to manage these risks. Until then, firms should strengthen supplier mapping, require resilience reporting in contracts, and conduct substitution testing as part of their third-party risk management.

Threat and Vulnerability Management

The FCA’s summary underlines that vulnerability management must be prioritised and pragmatic. Industry members highlighted several best practices:

• Smart categorisation: Over-categorisation of vulnerabilities drains resources, while under-categorisation increases risk. Regular review and refinement of categories is essential.

• “War rooming” responses: Treating critical vulnerabilities like incidents – with rapid, focused team mobilisation – improves response times.

• Combined vulnerabilities: Non-critical vulnerabilities may still cause significant cumulative harm if left unmanaged.

The FCA also stresses that legacy systems require the same level of protection as newer technologies. Firms often underestimate the cost, complexity, and resources needed to secure end-of-life systems, but attackers continue to exploit these weaknesses.

AI and Cyber Resilience

The integration of artificial intelligence into cyber resilience strategies offers clear benefits but also new risks. According to firms within the CCG:

• AI improves automation in threat intelligence, antivirus management, and risk analysis, freeing up human resources.

• Challenges remain, particularly:

  • AI plugins bypassing data-loss prevention controls.

  • Difficulty in identifying where vendors embed AI into products.

  • The need to defend against AI-specific attacks (e.g. poisoning of large language models).

The FCA encourages firms to treat AI integration as part of broader risk management. This includes training staff in safe AI use, demanding transparency from suppliers about AI adoption, and building defences for AI-targeted attacks.

What This Means for Firms

While the FCA’s publication does not set out new regulatory requirements, it is a clear signal of supervisory expectations. Firms should use the insights to:

1. Review third-party resilience frameworks – with mapping, substitution testing, and transparency requirements front of mind.

2. Reassess vulnerability management – ensuring resources are targeted effectively and legacy systems are not overlooked.

3. Evaluate AI in cyber strategies – balancing the benefits of automation with the risks of misuse or exploitation.

   
   

Conclusion

The FCA’s insights reflect a growing reality: cyber resilience is no longer a technical issue, but a core element of operational resilience and regulatory compliance. For firms across financial services, these learnings provide both a benchmark and a call to action.

With third-party risk, vulnerability management, and AI integration firmly on the regulatory radar, firms that fail to adapt could face not only operational risks but also supervisory scrutiny.