Bank of England: Financial sector failing to implement basic cybersecurity controls
(2026/01/22)
- Reference: 1769088205
- News link: https://www.theregister.co.uk/2026/01/22/financial_sector_cyber_gap/
- Source link:
Concerned about the orgs that safeguard your money? The UK's annual cybersecurity review for 2025 suggests you should be. Despite years of regulation, financial organizations continue to miss basic cybersecurity safeguards.
The latest findings come from the [1]CBEST report , which was co-authored by representatives from the Prudential Regulation Authority, Financial Conduct Authority, and Bank of England.
Taking 2025's most prominent findings from 13 CBEST assessments and regulator-backed pentests for finance businesses, BoE found weaknesses like poor access controls and passwords were common among businesses and financial management infrastructures (FMIs).
[2]
From a technical perspective, misconfigured and inconsistently [3]patched systems were highlighted as recurring issues, as were mechanisms for detecting potential intrusions and vulnerabilities.
[4]
[5]
The report noted: "Given the sophistication of some attackers, it is important that firms and FMIs are prepared to handle breaches effectively, rather than relying solely on protective controls.
"In addition to technical measures, we continue to observe challenges in staff culture, awareness, and training, highlighting that technical measures alone are not sufficient."
[6]
CBEST assessments revealed that criminals using [7]social engineering tactics could bypass controls when targeting organizations with a poor security culture. Assessors believe that [8]phishing could be successful in some cases, and that staff revealing sensitive information through social media and job descriptions was a realistic possibility.
FMIs that did not have strict protocols for their helpdesks, such as verifying the identity of callers, were also vulnerable to attackers who fraudulently accessed legitimate credentials.
The NCSC weighed in on this matter, saying these kinds of attacks are the bread and butter of groups like [9]Scattered Spider . The group is thought to be comprised of native English speakers and cyber-cops speculate it is behind at least some of the [10]high profile attacks on British businesses last year.
[11]
"They are known to use phishing and spear phishing to leverage established trust in organizations," said the NCSC. "Therefore, it is important to ensure that all individuals in an organization are aware of potential tricks and methods to counter these attempts."
Social engineering attacks were one of the few areas of focus for CBEST assessments in 2025, which are required to simulate the most severe and plausible threats to FMIs.
Other types of attack that regulated financial organizations were tested against included those from sophisticated and state-sponsored groups, compromised third parties and supply chains, and malicious insiders.
All four of these themes were observed frequently in real-world attacks throughout the year. The orgs said regulated entities needed to improve their resilience against them.
Comparing the results of the 2025 assessments with previous years makes for interesting, if unsurprising reading.
Many of the key weaknesses highlighted by the assessments over the past 12 months were the primary issues of yesteryear too.
Weak configurations, overly permissive access controls, ineffective network and vulnerability monitoring, and staff who were susceptible to social engineering and phishing were all features of the BoE's reports from 2023 and 2024.
It's not all bad, though. CBEST assessors found that organizations and FMIs "demonstrated a range of maturities across cyber threat intelligence (CTI) management domains."
They judged most of the assessed orgs to have "relatively effective foundations" across CTI operating models, although the report said the intelligence was not often well-integrated across the business.
[12]MPs ask who's responsible when AI crashes the UK finance system
[13]AI bubble to deflate as enterprises defer spending to 2027
[14]Bank of England's Oracle cloud migration bill triples as project grinds on
[15]Bank of England plans to shove cyber-microscope up nation's bankers
Plus, despite many of the main weaknesses identified in previous years remaining unaddressed in 2025, improvements can be seen, such as with [16]MFA .
Per the 2023 and 2024 reports, organizations were struggling to roll out effective MFA programs, but the control was not mentioned alongside the primary failures in the most recent annual review.
The purpose of CBEST assessments is not to introduce new regulatory requirements on those in the financial sector, which are already among the most heavily regulated for cybersecurity.
The BoE says the assessments serve as guides for all regulated entities to understand the most common security gaps that are likely to lead to a successful cyberattack, and potentially damaging consequences resulting from one. ®
Get our [17]Tech Resources
[1] https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector/2025-cbest-thematic
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2026/01/16/patch_tuesday_secure_launch_bug_no_shutdown/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/08/21/impersonation_as_a_service/
[8] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[9] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[10] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2026/01/20/treasury_committee_ai/
[13] https://www.theregister.com/2025/10/28/forrester_ai_spending/
[14] https://www.theregister.com/2026/01/09/bank_of_england_oracle/
[15] https://www.theregister.com/2014/06/10/bank_of_england_plans_cyber_assaults_on_nations_financial_institutions/
[16] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[17] https://whitepapers.theregister.com/
The latest findings come from the [1]CBEST report , which was co-authored by representatives from the Prudential Regulation Authority, Financial Conduct Authority, and Bank of England.
Taking 2025's most prominent findings from 13 CBEST assessments and regulator-backed pentests for finance businesses, BoE found weaknesses like poor access controls and passwords were common among businesses and financial management infrastructures (FMIs).
[2]
From a technical perspective, misconfigured and inconsistently [3]patched systems were highlighted as recurring issues, as were mechanisms for detecting potential intrusions and vulnerabilities.
[4]
[5]
The report noted: "Given the sophistication of some attackers, it is important that firms and FMIs are prepared to handle breaches effectively, rather than relying solely on protective controls.
"In addition to technical measures, we continue to observe challenges in staff culture, awareness, and training, highlighting that technical measures alone are not sufficient."
[6]
CBEST assessments revealed that criminals using [7]social engineering tactics could bypass controls when targeting organizations with a poor security culture. Assessors believe that [8]phishing could be successful in some cases, and that staff revealing sensitive information through social media and job descriptions was a realistic possibility.
FMIs that did not have strict protocols for their helpdesks, such as verifying the identity of callers, were also vulnerable to attackers who fraudulently accessed legitimate credentials.
The NCSC weighed in on this matter, saying these kinds of attacks are the bread and butter of groups like [9]Scattered Spider . The group is thought to be comprised of native English speakers and cyber-cops speculate it is behind at least some of the [10]high profile attacks on British businesses last year.
[11]
"They are known to use phishing and spear phishing to leverage established trust in organizations," said the NCSC. "Therefore, it is important to ensure that all individuals in an organization are aware of potential tricks and methods to counter these attempts."
Social engineering attacks were one of the few areas of focus for CBEST assessments in 2025, which are required to simulate the most severe and plausible threats to FMIs.
Other types of attack that regulated financial organizations were tested against included those from sophisticated and state-sponsored groups, compromised third parties and supply chains, and malicious insiders.
All four of these themes were observed frequently in real-world attacks throughout the year. The orgs said regulated entities needed to improve their resilience against them.
Comparing the results of the 2025 assessments with previous years makes for interesting, if unsurprising reading.
Many of the key weaknesses highlighted by the assessments over the past 12 months were the primary issues of yesteryear too.
Weak configurations, overly permissive access controls, ineffective network and vulnerability monitoring, and staff who were susceptible to social engineering and phishing were all features of the BoE's reports from 2023 and 2024.
It's not all bad, though. CBEST assessors found that organizations and FMIs "demonstrated a range of maturities across cyber threat intelligence (CTI) management domains."
They judged most of the assessed orgs to have "relatively effective foundations" across CTI operating models, although the report said the intelligence was not often well-integrated across the business.
[12]MPs ask who's responsible when AI crashes the UK finance system
[13]AI bubble to deflate as enterprises defer spending to 2027
[14]Bank of England's Oracle cloud migration bill triples as project grinds on
[15]Bank of England plans to shove cyber-microscope up nation's bankers
Plus, despite many of the main weaknesses identified in previous years remaining unaddressed in 2025, improvements can be seen, such as with [16]MFA .
Per the 2023 and 2024 reports, organizations were struggling to roll out effective MFA programs, but the control was not mentioned alongside the primary failures in the most recent annual review.
The purpose of CBEST assessments is not to introduce new regulatory requirements on those in the financial sector, which are already among the most heavily regulated for cybersecurity.
The BoE says the assessments serve as guides for all regulated entities to understand the most common security gaps that are likely to lead to a successful cyberattack, and potentially damaging consequences resulting from one. ®
Get our [17]Tech Resources
[1] https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector/2025-cbest-thematic
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2026/01/16/patch_tuesday_secure_launch_bug_no_shutdown/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/08/21/impersonation_as_a_service/
[8] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[9] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[10] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXJXwKy3IhlD6cYrxJ52MwAAAtc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2026/01/20/treasury_committee_ai/
[13] https://www.theregister.com/2025/10/28/forrester_ai_spending/
[14] https://www.theregister.com/2026/01/09/bank_of_england_oracle/
[15] https://www.theregister.com/2014/06/10/bank_of_england_plans_cyber_assaults_on_nations_financial_institutions/
[16] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[17] https://whitepapers.theregister.com/
Incentives
A - probably apocryphal - story which I heard many year ago.
At some international conference for telcos/utilities, a person from Singapore was scheduled to give a talk on preventing accidental cable cuts when putting in new infra. The talk was packed as Singapore had an incredibly low rate of such incidents. The speaker just outlined the same measures as all other countries were taking. Nothing new. In the Q&A, someone asked the speaker why Singapore had such a low rate. The answer: The person who severs the cable/pipe gets 5 years in prison and their manager 25 years.
When it comes to companies who hold a shedload of personal, sensitive data about the rest of us, I wonder ....