The FCA’s Cyber Coordination Group (CCG) Insights 2024 captures a year’s worth of honest discussion and practical lessons from across the UK financial sector. CyberNorth’s Lead for Cyber & FInTech, Jon Holden, gives his thoughts on the report and why he thinks this time, it’s different.
For me, this one is different. After almost nine years sitting on the CCG, contributing to its debates, and learning from peers across banking, insurance, asset management, and fintech, this report feels like a milestone — a consolidation of years of shared challenges, breakthroughs, and the occasional healthy disagreement.
Third-Party Resilience – The Real Test Comes in a Crisis
Third-party suppliers are part of every firm’s operational DNA. When they falter, the impact is immediate and wide-reaching. The CCG’s work around the CMORG reconnection framework has been one of the most effective sector-wide steps forward in recent years.
- Structured recovery: PIRs, attestations, and reconnection criteria provide clarity in high-pressure situations.
- Collective intelligence: Forums like FS-ISAC allow real-time information sharing, helping us avoid duplication and confusion.
But the challenges are consistent — and I’ve seen them resurface over the years: suppliers overstating their capabilities, contractual lock-in making replacement impossible, and international resilience standards that don’t align when speed matters most.
Threat-Led Testing – Moving Beyond Compliance
Across my years in the CCG, I’ve seen the sector’s attitude towards testing mature dramatically. Threat-led penetration testing — particularly via frameworks such as CBEST and STAR-FS — now allows us to simulate real-world attack scenarios and test not just prevention, but detection and coordinated response.
I’ve long argued in the group that vulnerability management must go beyond the “critical” list. Over the years, we’ve seen too many incidents sparked by a cluster of low-severity issues that, combined, create a perfect entry point. And while legacy systems are inconvenient, they cannot be ignored.
AI – Capability with Consequence
AI has moved from a talking point to a reality in cyber operations. In recent years, we’ve seen AI automate policy checks, strengthen threat intelligence, and streamline sensitive data discovery.
But with each year on the CCG, I’ve also seen the risks become clearer:
- AI features buried in third-party tools without transparency.
- Plugins bypassing DLP and established security controls.
- Data poisoning and manipulation attacks undermining trust in outputs.
The NCSC, DSIT, and CMORG AI Taskforce have been vital in shaping safe adoption principles. My own stance, honed over almost a decade in the group, is simple: innovation is welcome, but without governance and awareness, we’re just accelerating towards risk.
Looking Back, Looking Forward
Almost ten years on the CCG has taught me three enduring truths:
- Information-sharing is one of the sector’s greatest strengths — but it only works when we’re honest.
- Resilience is built long before the incident — relationships, rehearsals, and readiness matter more than any single control.
- New technology demands proactive governance — waiting for regulation leaves you behind the threat curve.
The FCA’s Insights 2024 isn’t just another publication for me — it’s a snapshot of a community I’ve been proud to be part of for nearly a decade. The challenge now is for all of us to turn its observations into practical action before the next test comes.
Jon Holden
Cyber & FinTech Lead, CyberNorth