On 20 October 2025, the Bank of England (BoE), Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) (the regulators) jointly published observations of effective practices in relation to cyber response and recovery capabilities.

Background

The regulators explained that the practices and examples set out are primarily from large, complex firms, but that the underlying principles will, in many cases, be relevant across the wider population of regulated firms.

Key practices

  • Response to a high severity cyber disruption: The regulators highlighted that firms are recognising that sever cyber-attacks are increasingly plausible. As a result, the most mature firms have considered impact tolerance metrics beyond duration of the attack to include value, volume, critical activity, end-users and have developed alternative solutions and workarounds to respond to this. Further, the most effective firm self-assessments include a pre-defined crisis communication plan and firms had tested the resilience of their communication capabilities or have alternative communication channels.
  • Recovery from a high severity cyber disruption: The regulators explained thatfirms have implemented a range of solutions to strengthen their resilience and recovery capabilities, including the ability to be able to restore critical data from immutable back-ups and rebuild critical applications and core infrastructure and also use a separate, segregated  facility designed to make it highly unlikely for an external actor to be able to gain unauthorised access to the firms’ production environments. Ultimately, many firms are testing their ability to switchover to a tertiary site, or to a stand-in service.
  • Response to a high severity cyber disruption at a firm’s material third party: The regulators also made clear that where third parties support delivery of important business services, the most mature firms ensure the third party’s resilience capabilities are equivalent to those of their infrastructure, but where firms cannot achieve this level of assurance, they are considering alternative ways to remain within impact tolerances.
  • Use of collective action to build resilience: The regulators also set out that firms are working collectively, by sharing knowledge and expertise, and working on collective solutions. For example, the Cross Market Operational Resilience Group has produced guidance for firms in relation to this area.

Next steps

The regulators encouraged firms to consider their investment in resilience capability and to keep their boards apprised of their operational resilience work through regular updating of self-assessments. Further, the regulators highlighted that firms should look to take a dynamic approach in response to continually evolving risks.