“When written in Chinese the word crisis comprises two characters – one representing danger; the other opportunity.” John F Kennedy.
The tragedy of 9/11 is most notably remembered for the appalling loss of life, but the audacious attacks also had a material impact on the global economy with market trading in securities being frozen at the previous day’s closing value to ensure market integrity. Whilst not a cyberattack itself, disruptors have seen how “left field” events can cause massive disruption to governments and companies alike.
Indeed, the current Iran War began with a significant cyber-attack leaving the Iranian regime at a significant strategic disadvantage. Cyber has become a core feature of what is sometimes termed asymmetrical warfare.
Cyber security breaches represent an insidious and unrelenting threat to both government and financial institutions with the risks often not contained to the institution targeted but impacting customers and suppliers. Barely a day goes by without some new revelation of a cyber-attack on institutions. The cases of Marks and Spencer and Jaguar Land Rover (JLR) are but two recent examples. Both have carried reputational damage and significant opportunity cost in remedying problems as well as the risk of job loss, all the way up the supply chain.
In the financial services context, regulatory obligations in this regard in the UK are covered by the Systems and Controls rules and principles of the FCA and the PRA. These obligations also form a core element of focus for the FSB (Financial Stability Board) which considers financial stability in global markets.
The FCA’s Cyber Coordination Group (CCG), established in 2017, brought together 139 industry cyber resilience and information security leaders. The programme has enabled members to share insights, challenges, and approaches to strengthen collective resilience across the financial sector. The findings of the CCG are useful for both regulator and regulated alike. The CCG recently provided findings of good and poor practices using key topics and insights covering reconnection and third-party incident management, threat and vulnerability management and threat-led penetration testing, as well as AI and emerging technologies.
In terms of insights impacting the reconnection and third-party incident management, the Cross Market Operational Resilience Group’s (CMORG) Reconnection Framework is used to manage third-party incidents effectively. Cross-industry forums such as CMORG and the Financial Services Information Sharing and Analysis Centre (FS-ISAC) support collective communication with suppliers during outages. Finally, testing outage scenarios involving third parties can help firms understand how to operate without access to key external services.
Feedback indicated the following two challenges:
• first, there was heavy reliance on third-party suppliers for resilience practices and;
• second, there was limited cyber security capability amongst suppliers, which can hinder firms’ ability to respond to, or recover from, disruption.
As for insights from the Threat & Vulnerability Management and Threat-Led Penetration Testing, this covered frameworks such as CBEST, which is an intelligence-led cybersecurity testing framework used by the Bank of England since 2014 to simulate real-world attacks on financial institutions, and Stimulated Targeted Attack & Response for Financial Services (STAR-FS) to identify vulnerabilities and highlight resilience gaps. Three challenges were identified:
• first, how to manage the cumulative impact of non-critical vulnerabilities;
• second, how to secure the legacy systems and;
• finally how to maintain technical capabilities for effective threat and vulnerability management.
Of these two commendable systems, CBEST is the more heavyweight and designed for systemically important firms but comes with significant regulatory involvement and longer timelines.
The third topic covered AI, Emerging Technologies, and insights: AI can support automation of quality assurance processes (e.g. password policy compliance) and AI can enhance cyber defence, particularly in the threat intelligence and risk analysis.
However, there are also challenges, which can include unidentified risks and new exposures introduced by AI integration and vulnerability to AI-targeted cyber-attacks. For example, risks such as model poisoning that could undermine data integrity and large language models.
In response to a G20 call, the FSB has conducted work to promote greater convergence in cyber incident reporting by establishing recommendations, enhancing the Cyber Lexicon to ensure it is up to date with the “common language” and developing a common Format for Incident Reporting Exchange (FIRE).
However, a challenge can also provide an opportunity for avoidance including the use of synthetic data. Synthetic data is artificially generated data that replicates the statistical properties of real-world datasets without containing any original, sensitive information. In cybersecurity, this makes it a powerful tool for training machine learning models, simulating threats, and testing security systems in a safe and privacy-preserving way. It can be useful in ensuring robust systems and controls for regulated firms.
Synthetic data in cybersecurity can be applied in a number of positive ways. For example, training and testing machine learning models which enables AI models to learn threat detection, anomaly detection, and intrusion detection. It allows exposure to rate emerging attack patterns not present in real-world datasets. Another positive is stimulating cyber threats. Security teams can generate adversarial synthetic data to mimic malicious network traffic, phishing attempts, ransomware, or Distributed Denial of Service (DDoS) attacks such as ransomware/extortion attempts, “hacktivism,” competitive sabotage as well as generating a smokescreen to distract IT security specialists with a false alert allowing them to attack elsewhere. Distributed means that the traffic comes from different sources, often globally, making it harder to block. The effect can be costly with slower network performance, file inaccessibility, or total website shutdown.
Other positives include enhancing phishing and social engineering detection using a synthetic behavioural data model’s deceptive user interactions to improve system defences against fraudulent activities as well as stress-testing security systems. Synthetic attack environments allow safe stress-testing of cybersecurity infrastructure. This also helps uncover weaknesses before real-world attackers exploit them.
Privacy-compliant data sharing is another virtue which is particularly valuable in finance, and regulated industries bound by the GDPR. Synthetic datasets enable secure collaboration without exposing personal or sensitive details.
Finally, software testing and development means that developers can test new security tools and features with synthetic data and also help identify vulnerabilities before production deployment.
In conclusion, cyberattack continues its exponential rise. There are ways of mitigating the threat and using this to help compliance with systems and controls regulations, with synthetic data emerging as a critical enabler for cybersecurity innovation. While challenges remain in ensuring data quality, realism and fairness, the benefits of privacy preservation, speed, and resilience make synthetic data a powerful tool for strengthening modern cybersecurity defences. Robust systems and controls are a regulatory obligation, as well as good common sense. Firms ignore this subject at their peril.
June 2026