On 30 September 2021, there was published a letter that the Bank of England, PRA and FCA had sent to the senior management function (SMF) holder with responsibility for cyber of those firms that had participated in the latest annual cycle of CBEST assessments.

CBEST is a framework for intelligence-led penetration testing which focuses on an organisation’s security controls and capabilities when faced with a simulated cyber-attack. The simulated attacks used in testing are tailored to the threat and vulnerability profile of each organisation and represent an evidence-based and robust testing approach.

The letter sets out the results of the latest CBEST assessment so that the relevant SMF holder may ensure that their firm is able to benefit from the identification of the weaknesses found and thereby address potential similar weakness in their firm. The relevant SMF holder should also raise awareness in their senior executive team and use the letter to inform the work of their firm’s risk and internal audit functions.

For firms that have participated in the latest CBEST cycle, the remediation plans that have been agreed with supervisors will remain the primary focus for addressing their cyber resilience issues. The thematic feedback included in the letter may provide additional information that can be incorporated in these plans.