UK regulators publish joint 2025 CBEST thematic report

The Bank of England, UK Prudential Regulation Authority and UK Financial Conduct Authority have published their 2025 annual CBEST thematic report. CBEST is a threat-led penetration testing assessment framework of cyber resilience, helping regulators, firms and financial market infrastructures (FMIs) identify vulnerabilities and take remedial action. This report summarises insights from recent CBEST assessments conducted across firms and FMIs. While it does not introduce any new or additional regulatory expectations, it articulates gaps, some of them foundational, observed in firms' and FMIs' cyber defences.

Key messages for firms and FMIs to consider include:

• To reduce the likelihood of severe cyberattacks, firms and FMIs should harden operating systems by patching vulnerabilities and securely configuring key applications.
• The impact of unauthorised access to sensitive systems and information can be reduced by strengthening credentials management, enforcing strong passwords, considering the use of multi-factor authentication, preventing or detecting insecure credential storage and through appropriate segmentation of networks.
• Early detection and effective monitoring, alerting and response processes are key to reducing the impact of cyberattacks.
• Firms and FMIs should implement risk-based remediation plans with oversight from risk managers and internal auditors to ensure the successful remediation of technical findings, including vulnerabilities.

The regulators also note that Simulated Targeted Attack & Response for the Finance Sector (STAR‑FS), introduced in 2024, complements CBEST by extending threat‑led penetration testing to a wider range of firms and FMIs. They encourage broader adoption of STAR‑FS to strengthen collective resilience across the financial sector.

Return to main website.