-
UK regulators publish effective practices on cyber response and recovery capabilities
20 October 2025The Bank of England, UK Financial Conduct Authority (FCA) and UK Prudential Regulation Authority (PRA) have published a joint document outlining effective practices in cyber response and recovery capabilities across systemic firms and financial market infrastructures (FMIs). The publication highlights practices drawn from firms' operational resilience self-assessments and is structured around the following four key areas:- Response to a high severity cyber disruption – maturer firms are using a broader set of impact tolerance metrics, beyond just duration, to define critical service levels. These include metrics such as value, volume, critical activity, end-users and types of payments. Effective self-assessments also feature clear, timely crisis communication plans and resilient communication capabilities.
- Recovery from a high severity cyber disruption – firms are accelerating their recovery capabilities by implementing a range of solutions such as investing in immutable back-up capabilities for data, among others listed, as well as using segregated tertiary facilities to ensure continuity and prevent unauthorised access to the firms' product environments.
- Response to a high severity cyber disruption at a firm's material third-party –maturer firms are actively ensuring that their third-party resilience capabilities are equivalent to those they would expect from their own infrastructure. Where this is not feasible, firms are exploring alternatives such as failover to internal systems, manual workarounds, or requiring third-parties to build their own capabilities.
- Use of collective action to build resilience – firms are increasingly sharing knowledge and collaborating on collective solutions. Notable examples include work led by the Cross Market Operational Resilience Group.
Return to main website.
Financial Regulatory Developments Focus