Cyber focus: UK regulators publish 2023 CBEST findings

In the last few years, cyber and operational resilience has shot to the top of financial regulators’ agenda. And as wave after wave of technological innovation propels the financial services industry, how firms prepare to withstand cyber and operational shocks will continue to be under the supervisory spotlight in 2024 (read more in our Fintech & Payments Legal Outlook 2024).

The Bank of England, PRA and FCA have released the thematic findings from this year’s CBEST cycle. Previously CBEST results were only shared with participating firms so this wider release is a statement from the regulators about the importance of improving cyber resilience across the financial sector.

What is CBEST?

CBEST is a form of penetration testing which the regulators use to assess the cyber resilience of firms’ important business services. Financial institutions and financial market infrastructure participating in the CBEST programme undergo live tests that mimic the actions of cyber attackers. These tests allow participating financial institutions to assess their detection and response capabilities.

What are the findings from the latest CBEST?

Some positive practices emerged from the testing. These include: 

• use of strong authentication for accessing critical assets
• timely and proactive reporting of phishing 
• use of strong passwords
• ring-fencing core systems within dedicated bastion zones
• use of full-drive encryption to mitigate attacks where assets were physically out of an organisation’s control

Common gaps were also identified, including:

• lack of establishment, sufficient strength, and/or enforcement of policies and standards that govern identity and access management
• failure to sufficiently review and measure cyber hygiene
• over-exposure of sensitive data in public media on firm/FMI-owned websites, as well as those of third parties
• sensitive technical information disclosed in job descriptions, posts on corporate websites, or social media
• insufficient segregation of corporate networks
• inconsistencies in levels of data protection, for example in how data backups are created and stored

Why are the thematic findings important?

Cyber attacks can cause reputational damage and financial loss, and potentially undermine market confidence. 

To combat cyber crime, and to raise awareness among market participants, financial regulators across the world are increasing transparency and information-sharing on cyber threats and readiness. Consistent with this trend, these CBEST thematic results have been shared with non-participating financial institutions and financial market infrastructures so that they can embed the findings in their cyber strategies.

As with any complex and dynamic scenario, it is difficult to identify a single feature as the most important or most relevant. That is why it is crucial to engage every level of the organisation in the common effort of building and reinforcing resilience. Read more in our Cyber Security Handbook.

With thanks to Elton Qemali, Paralegal, Linklaters for contributing to this post.