Bank of England Finds Financial Firms Failing Basic Cybersecurity Controls
The Bank of England's CBEST cybersecurity assessment program has found widespread failures in basic cybersecurity practices across UK financial institutions, according to a thematic report published jointly by the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority.
The findings, derived from 13 threat-led penetration tests of banks, insurers, asset managers, and financial market infrastructures, reveal gaps in fundamental controls including patching, encryption, identity management, network segmentation, and incident detection.
Penetration Tests Expose Systemic Weaknesses
The CBEST program simulates realistic adversarial attacks against systemically important financial institutions to identify vulnerabilities before real threat actors can exploit them. The 2025 thematic consolidates findings across five security domains, with failures observed in each area.
Infrastructure security assessments found firms maintaining inconsistent configuration practices across system endpoints, with insufficiently hardened or unpatched systems vulnerable to simulated exploitation. Organizations lacking strong cryptographic protections for data at rest had insufficient defenses against attempts to access, damage, or destroy sensitive data and privileged credentials.
Identity and access management failures were pervasive. Firms that did not enforce strong password standards or allowed credentials to be stored insecurely in plaintext were more likely to have user identities compromised. Overly permissive access controls, including lack of role-based restrictions on administrator and service accounts, left organizations susceptible to privilege escalation and lateral movement by simulated attackers.
Detection Capabilities Found Lacking
Detection and response weaknesses significantly hampered defenders during simulated attacks. Firms with poorly tuned monitoring or alerting capabilities were less able to detect potential cyberattacks in early stages, including weaknesses in endpoint detection and response tools and data exfiltration monitoring.
Ineffective network monitoring left organizations vulnerable to attackers obfuscating malicious activities within seemingly legitimate traffic. The report noted instances where outbound connectivity from unmonitored devices enabled simulated data theft.
Network segmentation failures increased the risk of unauthorized access to sensitive systems. Firms lacking segmentation between development and production environments faced heightened potential impact from cyberattacks, while limited application of least-privilege principles expanded attacker reach once initial access was achieved.
Human Factors Remain Critical Vulnerability
Staff culture, awareness, and training emerged as a significant weakness across assessed organizations. Employees susceptible to social engineering tactics made their firms more vulnerable to simulated phishing attacks targeting credentials or system access.
The report highlighted users routinely storing credentials in unprotected locations such as spreadsheets and open file shares, which were exposed and used during simulated attacks. Insecure helpdesk protocols with limited or no authentication of callers allowed simulated attackers to obtain credentials through fraudulent interactions.
APTs and Supply Chain Risks Dominate Threat Landscape
The CBEST threat intelligence component identified highly capable state actors, organized criminal groups, and malicious insiders as the most common threat actors simulated in 2025 assessments. These adversaries employ advanced techniques including zero-day exploits, custom malware, and AI-driven automation.
Third-party supplier compromise emerged as the most frequently encountered attack scenario, reflecting the growing dependence on external providers and the potential for a single breach to impact multiple organizations simultaneously. Social engineering and malicious insider activity rounded out the top threat vectors.
The report documented 469 successful attack tactics across assessments, mapped to the MITRE ATT&CK framework. Common techniques included reconnaissance through publicly available employee information, initial access via spear-phishing, persistence through DLL sideloading, and credential theft from exposed passwords and configuration files.
NCSC Highlights Real-World Parallels
The UK National Cyber Security Centre provided additional context linking CBEST findings to observed threat actor behavior. The agency cited Scattered Spider's use of social engineering against IT helpdesks to reset passwords and MFA tokens, and Volt Typhoon's exploitation of privilege escalation vulnerabilities and living-off-the-land techniques against critical infrastructure.
The NCSC emphasized that staff training and awareness should be considered integral to effective cybersecurity, noting that AI-generated content has made phishing increasingly difficult to recognize. Organizations were advised to develop positive security cultures where employees actively participate in identifying and reporting security issues.
Remediation Guidance Issued
The regulators outlined key recommendations for addressing identified weaknesses. Firms should harden operating systems through vulnerability patching and secure configuration of key applications. Strengthening credential management, enforcing strong passwords, implementing multi-factor authentication, and preventing insecure credential storage were identified as priorities.
Early detection through effective monitoring, alerting, and response processes was emphasized as critical to reducing cyberattack impact. The report encouraged risk-based remediation planning with oversight from risk managers and internal auditors to ensure successful closure of technical findings.
The publication does not introduce new regulatory expectations but articulates foundational gaps observed in financial sector cyber defenses that regulators expect firms to address.
