On 24 April 2026, the Financial Conduct Authority (FCA) published a summary of discussions held throughout 2025 with industry members of its Cyber Coordination Group (CCG) programme.

Background

The FCA set out that its CCG programme brings together up to 140 firms and that members of this group have contributed their insights that reflect what’s worked well for CCG members and the challenges they’ve found within their firms.

The FCA highlighted that in publishing these insights it is not introducing any additional regulatory expectations but are making them available so that firms can consider them in the context of our existing expectations and strengthen their cyber resilience capabilities. 

Summary

The FCA set out a range of insights from the CCG including

  • Incident response and recovery: The FCA highlighted a few insights including the importance of active and sustained involvement from senior management in incident response exercises and testing materially improves organisational decision-making, clarity of communications, and confidence during live incidents. Robust testing, especially in live and sandbox environments, reveals operational nuances that tabletop exercises miss, strengthening preparedness for severe but plausible incident scenarios. Effective third-party engagement remains essential yet challenging, members emphasised the need for clearer contractual obligations, stronger supply chain transparency (especially around AI), and including key suppliers in response and recovery testing, which avoids priorities misaligning during a crisis. 
  • Emerging technologies: The FCA emphasised the importance of firms building emerging technologies into their risk framework. For example, where relevant, AI adoption and post-quantum cryptography migration need to be embedded within existing risk frameworks, supported by strong cryptographic hygiene and risk-based prioritisation, to manage transition challenges.
  • Insider risk: The FCA also set out that CCG members considered that insider risk management is most effective when considered enterprise-wide, combining behavioural analytics; strong access management; and clear, trust-building communication. However, it was also explained that remaining conscious of privacy obligations, monitoring complexity, and differing jurisdictional rules and laws are also often important considerations to navigate.