The FCA has published good and poor practice emerging from its Cyber Coordination Group (CCG) in 2025 covering key resilience topics like: incident response practices and recovery at scale; implications of AI, quantum computing and other emerging technology; and insider risk management.
Key recommendations included:
- Preparing senior managers for incident response – active and sustained involvement from senior management with exercises and testing materially improves decision-making, clarity of communications, and confidence during live incidents.
- Developing testing approaches to strengthen preparedness – robust testing, particularly in live and sandbox environments, reveals operational nuances that tabletop exercises might miss, strengthening preparedness for severe but plausible incident scenarios.
- Being clear with third parties on roles and expectations, to avoid misalignment during a crisis – effective third-party engagement remains essential yet challenging, with members emphasising the need for clearer contractual obligations, stronger supply chain transparency (especially around AI), and including key suppliers in response and recovery testing.
- Building emerging technologies into risk frameworks – AI adoption and post-quantum cryptography migration ought to be embedded within existing frameworks to manage transition challenges.
- Managing insider risk – this is most effective when consider enterprise-wide, combining behaviour analytics, strong access management and clear communication.
