On 13 December 2024, the Bank of England published a web page concerning the latest annual CBEST thematic which is intended to inform the financial sector on the findings and lessons learned from the CBEST programme, which assesses the cyber resilience of key financial institutions through security testing performed in ‘live’ corporate environments.

CBEST is a threat-led penetration testing assessment framework, that enables firms and financial market infrastructures (FMIs) to identify, understand and remediate vulnerabilities in their cyber resilience. Each year, the UK financial regulators provide their thematic analysis of recent CBEST findings so that firms and FMIs can better assess their cyber risks and ensure they have adequate resilience capabilities to prepare for, and respond to, cyber incidents that could cause operational disruption and impact financial stability.

Findings from the Threat Intelligence Maturity Assessment (TIMA), part of CBEST, showed that firms and FMIs displayed weaknesses in their threat intelligence operations. This was particularly around the integration of threat Intelligence with business lines and increasing the situational awareness in firms and FMIs.

To further enhance the sector’s cyber resilience capabilities, the regulators intend to start consulting in the second half of 2025 on expectations around the management of Information and Communication Technology (ICT) and cyber resilience risks. This includes risks arising from IT transformations, and the sector’s ability to detect, withstand and recover from disruptions in the event of ICT and cyber incidents.