Bank of England: Financial sector failing to implement basic cybersecurity controls

Steven

Bank of England: Financial sector failing to implement basic cybersecurity controls

Summary

The Bank of England, together with the Prudential Regulation Authority and the Financial Conduct Authority, published findings from the 2025 CBEST assessments showing UK financial organisations and FMIs continue to miss basic cybersecurity controls. Across 13 assessments and regulator-backed penetration tests, common failings included weak access controls and passwords, misconfigured and inconsistently patched systems, poor detection and monitoring, and gaps in staff culture and training.

CBEST exercises simulated severe and plausible threats — from social engineering and phishing to state-sponsored attacks, compromised third parties, supply chain issues and malicious insiders. Assessors noted social engineering remains effective where security culture is weak and that helpdesks without strict verification protocols are vulnerable to credential misuse. The report also observed some positive movement: multifactor authentication rollouts have improved and many organisations show solid foundations in cyber threat intelligence, though that intelligence is often not well integrated across the business.

Key Points

  • CBEST 2025 assessments (Bank of England, PRA, FCA) found persistent basic cybersecurity weaknesses across the financial sector.
  • Frequent technical issues: misconfigurations, inconsistent patching, inadequate intrusion/vulnerability detection.
  • Human and process failures remain significant: poor security culture, phishing susceptibility, and weak helpdesk identity verification.
  • Assessments simulated a wide range of threats, including social engineering, state-sponsored actors, compromised third parties and malicious insiders.
  • Some improvements seen: better rollout of MFA and generally effective foundations in cyber threat intelligence, but CTI often not well integrated into operations.
  • Problems highlighted in 2025 mirror recurring issues from 2023 and 2024 — many basic gaps remain unaddressed.
  • CBEST aims to guide regulated entities on common exploitable gaps rather than introduce new regulatory requirements.

Why should I read this?

Short version: if you handle money, or the systems that do, this is the warning you should’ve already seen. The regulators keep flagging the same stupid gaps — weak passwords, shaky patching and staff getting fooled — and attackers keep exploiting them. Read this to know what the basics are that still need fixing yesterday.

Context and Relevance

The report is important because it shows that, despite heavy regulation, the UK financial sector still struggles with foundational cyber hygiene. That makes high-value targets — banks, payment systems and FMIs — attractive to organised and state-linked threat actors. The persistence of these issues across multiple years increases the risk of disruptive incidents, systemic harm and reputational damage. The findings reinforce the industry trend that technical controls alone are insufficient: culture, training, robust operational processes (helpdesk verification, supply chain controls) and integration of threat intelligence into business decision-making are equally necessary.

Author style (Punchy)

This is blunt: regulators keep seeing the same holes and attackers are happy to keep using the same playbook. If you’re responsible for risk, resilience or operations in finance, treat this as an urgent checklist — basic controls matter, and ignoring them leaves consumer money and market stability at risk.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/22/financial_sector_cyber_gap/