Compliance Matters

WP_Post Object ( [ID] => 137725 [post_author] => 41 [post_date] => 2026-03-05 09:00:13 [post_date_gmt] => 2026-03-05 09:00:13 [post_content] => The UK’s financial services sector punches well above its weight. London is a close second to New York as the world’s preeminent financial hub and the country is the world’s biggest net exporter of financial services. But this success makes it a huge target for cybercriminals and nation-state actors. And despite being one of the most highly regulated sectors, cyber resilience is not where it should be.The continued cost to the economy of cyber-attacks on the sector, and the spectre of a systemic incident, is why the Bank of England (BoE) continues to run a pen-testing framework known as CBEST. Unfortunately, its latest report highlights that there’s still a long way to go for the industry.

What the Report Found

The point of CBEST is to simulate the kind of attacks banks and other financial sector companies would experience in the wild – at the hands of sophisticated criminal groups, state actors and malicious insiders. These efforts are focused on third-party supplier compromise, social engineering and insider activity because they are the areas the industry has most difficulty tackling. Zero-day exploits, custom malware, AI-driven automation and precise targeting are all used in these red team assessments – in attacks simulating end goals such as cyber-espionage, financial gain and sabotage.So, what did the BoE find?

• Inconsistently configured and insufficiently hardened/patched systems
• A lack of encryption for data at rest including privileged credentials
• Weak identity and access management controls (including weak passwords and/or insecure password storage)
• Overly permissive access controls
• Sub-par detection and response (eg “poorly tuned” EDR)
• Ineffective traffic monitoring/inspection (enabling attackers to hide in legitimate traffic)
• Ineffective network segmentation (eg between development and production environments) amplifying the potential impact of attacks
• Staff susceptible to direct and indirect social engineering
• Staff routinely storing credentials in unprotected environments (eg open file shares)
• Insecure helpdesk protocols which enable hackers to amplify social engineering efforts

The report also noted that organisations’ threat intelligence was lacking in “strategic planning, defining requirements, establishing governance frameworks, and mapping out long-term capabilities.” That has led to a disconnect between the intelligence that financial services firms are collecting and their actual business/operational needs. It means challenges in scaling and/or evolving these programmes, the BoE claimed.

Why It Matters

The tactics, techniques and procedures (TTPs) deployed by CBEST’s pen testers were chosen for a reason. They reflect the kind of threats that financial institutions are facing on a daily or weekly basis. In a section in the report, the National Cyber Security Centre (NCSC) warned that the Scattered Spider collective is well known for social engineering IT helpdesk personnel to reset passwords and MFA tokens, for example. It’s believed to have done this during the M&S and Co-Op group ransomware attacks.Separately, it cited Chinese APT group Volt Typhoon, which compromised large parts of US critical national infrastructure networks with covert attacks. Better network monitoring and segmentation would have helped to shine a light on these efforts and limit the blast radius of attacks, the NCSC claimed.Financial services firms should not only view CBEST as an important foundation for building resilience against real-world attacks. Many will also need to improve security posture in light of the EU’s Digital Operational Resilience Act (DORA), which mandates strict new requirements across the banking supply chain. Supply chains are a particular risk. One 2025 report claimed that 58% of large financial services firms suffered at least one third-party attack the previous year, with a fifth (23%) being targeted three or more times.

What Happens Next?

In the foreword to the report, the BoE and regulators the FCA and Prudential Regulation Authority (PRA) urged organisations in the sector to address “the underlying causes” of risk rather than apply temporary patches. That means taking a technical and cultural approach, covering prevention, detection and response.Specifically, the BoE/FCA/PRA want to see organisations in the sector:

• Patching and configuring critical applications and operating systems
• Strengthening credential management, enforcing strong passwords, using MFA and segmenting networks
• Ensuring early detection and effective monitoring to reduce the impact of attacks
• Implementing risk-based remediation plans in collaboration with risk managers and internal auditors

In addition to this, the NCSC wants to see improvements in staff training, especially in light of AI-generated phishing, to help build a positive security culture. It also wants stricter privileged account management (PAM) along best practice lines. And closer oversight of assets, especially legacy IT, in part to help with the journey to post-quantum cryptography (PQC).Network segmentation, device hardening and continuous monitoring should all be deployed as part of a zero-trust approach to security, it said. And comprehensive logging and incident response processes can improve the resilience of monitoring and detection capabilities. Threat hunting offers important extra insight to uncover more sophisticated malicious activity, the NCSC concluded.

Getting Started

So where do financial services firms begin? Beyond Blue director, Carl Hunt, argues that detection is a good place to start.“This includes improving endpoint detection and response but also correlating events across their organisation's likely attack paths to detect anomalous behaviour,” he tells IO (formerly ISMS.online). “To conduct this, a good understanding of critical assets, attack paths and effective tunning of detection rules is required.”The human aspect of response is another critical endeavour which security teams often miss.“CISOs need to be empowered to isolate an attack in a timely manner, which requires the business context to make the necessary decisions. This is a particular challenge where security operations are outsourced,” Hunt continues. “It should be remembered that in a real-life attack, attackers are moving quickly to achieve their objectives rather than in a more controlled manner as with a simulated exercise such as CBEST. A rapid response is vital to limit the impact.”He points to network segmentation as equally critical, in order to contain the blast radius of attacks. “This also underpins recovery strategies through mapping of IT and networks to essential business functions, effective containment and then the eventual eradication of an attack can be achieved,” says Hunt.The good news is that standards like ISO 27001 can help organisations put the foundations in place to accelerate these best practices. And deliver the risk-based approach to cybersecurity that regulators increasingly expect, grounded in a culture of continuous improvement. [post_title] => UK Financial Services Firms Are Still Failing the Basics, the BoE Warns [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => open [post_password] => [post_name] => uk-financial-services-firms-are-still-failing-the-basics-the-boe-warns [to_ping] => [pinged] => [post_modified] => 2026-03-04 11:39:47 [post_modified_gmt] => 2026-03-04 11:39:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.isms.online/?p=137725 [menu_order] => 0 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw )