| Link(s): | Operational resilience | FCA |
Context
The FCA has updated its Operational Resilience web page to add a link to, and commentary about, the 2025 CBEST thematic results. CBEST is a targeted assessment tool to help regulators assess firms’ and financial market infrastructures’ (FMIs) cyber resilience by using live penetration testing that mimics the actions of cyber attackers. It enables regulators, firms and FMIs to better understand vulnerabilities and take remedial actions, strengthening the resilience of individual firms and the wider financial sector.
Key points to note and next actions
- Each year, the FCA and the PRA publish their annual thematic analysis of CBEST assessments, highlighting cyber resilience observations from CBEST, such as cyber defence, detection and response capabilities against cyber threats, as well as contributions from the National Cyber Security Centre (NCSC).
- In the 2025 CBEST thematic, for the first time the report sets out the regulators’ insights on the tactics, techniques and procedures most commonly used in CBEST, as well as their observations on some of the challenges firms faced when remediating CBEST findings.
- The report sets out that maintaining strong cyber hygiene is not a one-time exercise but a continuous effort to reduce exposures and strengthen resilience.
- Weaknesses in infrastructure security, asset management or application security that were exploited during CBESTs include firms not maintaining strong configuration practices.
- Firms which did not have strong cryptographic protections for data-at-rest are likely to have insufficient protection against attempts to access, damage or destroy sensitive data and/or privileged credentials.