FCA Shares 2025 Cyber Coordination Group Insights, Flags New Compliance Rules

The FCA released a 2025 summary of its Cyber Coordination Group, highlighting sector-wide cybersecurity challenges.

The Financial Conduct Authority (FCA) has published its summary from the 2025 Cyber Coordination Group (CCG), a forum comprising up to 140 financial firms working to bolster sector-wide cyber resilience. Released on April 24, 2026, the report highlights major cyber risk themes and best practices developed during a volatile year for cybersecurity.

• The FCA noted that resilience is under unprecedented pressure, as firms grapple with rising cyber threats and deeper reliance on external providers. Mark Francis, Director at the FCA, said: "Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on."
• Over 40% of cyber incidents reported in 2025 involved third-party suppliers, underscoring third-party risk as a chief compliance concern.
• The FCA's recently confirmed reporting rules, set to apply from March 18, 2027, mandate clearer processes for incident and third-party disclosures. The upcoming regime introduces a unified reporting portal, developed in collaboration with the Prudential Regulation Authority (PRA) and Bank of England, to ease reporting burdens and ensure consistency across regulators.

While the FCA's CCG summary signals emerging best practices, details on precise recommendations or rule texts remain limited. Nonetheless, legal, risk, and compliance functions at FCA-regulated firms are urged to closely review these developments as the implementation date approaches.

Yes, but: The FCA's summary does not specify the detailed best practices or exact rule language, limiting immediate actionable guidance for firms.

What's next: The new reporting rules come into force on March 18, 2027, prompting firms to enhance their compliance programs before then.