On 31 January 2023, the Bank of England (BoE) published a letter sharing the thematic findings from the latest annual cycle of CBEST assessments conducted by the BoE, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) (collectively, the regulators) on participating banks, insurers, asset and investment managers and financial market infrastructure. CBEST focuses on an organisation’s security controls and capabilities when faced with a simulated cyber-attack.

The regulators analysed the outcomes of the CBEST assessments and identified trends and findings descriptive of the sector’s current cyber posture. These findings are being shared so that firms can take note of the weaknesses identified and thereby address any potential similar weaknesses they may have themselves. The regulators also hope to raise awareness in firms’ senior executive teams and to inform the work of firms’ risk and audit functions.

The findings may also be used by the regulators to structure future supervisory interaction and understand the level of engagement firms have achieved with the senior executive team, risk and audit functions on the issues identified as in need of remediation.

For firms that have participated in the latest CBEST cycle, the remediation plans that have been agreed with supervisors will remain the primary focus for addressing their cyber resilience issues, although the thematic CBEST findings may provide additional information that can be incorporated into those plans.