Bolstering resilience: Effective cyber response and recovery practices for financial services
Shakeel Aslam · Posted on: December 22nd 2025 · read
The persistence and severity of cyber-attacks represent a substantial and evolving threat to the financial sector. In a joint publication, Effective practices: Cyber response and recovery capabilities, the Bank of England (Bank), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) highlight effective practices observed in the operational resilience self-assessments of systemic firms and Financial Market Infrastructures (FMIs).
This guidance is crucial for Chief Financial Officers (CFOs), Heads of Tax, and Non-Executive Directors (NEDs) across financial services organisations. It not only outlines the regulatory expectation for strengthening cyber resilience but also offers practical examples to support strategic discussions, assurance, and challenge at the Board level. Operational resilience is an ongoing priority, requiring a strategic and dynamic approach to keep pace with the changing risk landscape and increasing third-party dependencies.
Effective practice: Response to high severity disruption
Firms are now simulating destructive scenarios involving highly capable threat actors, recognising that severe cyber-attacks are increasingly plausible. The most mature firms have evolved their assessment of risk beyond mere duration of an outage.
Impact tolerances and mitigation
Expanded Metrics: Leading firms have adopted impact tolerance metrics that encompass value, volume, critical activity, end-users, and types of payments, providing a more accurate picture of the service level required to mitigate risks to consumer harm, market integrity, safety & soundness, and financial stability.
Systemic Impact Focus: Firms whose important business services support the orderly functioning of financial markets are setting impact tolerances that reflect the potential for broader systemic impact.
Prioritised Alternatives: This refined calibration enables the development of alternative solutions, such as prioritising the delivery of key service elements (e.g., critical payments) or transitioning to a segregated alternative solution with lower capacity, potentially using workarounds or restoring minimum infrastructure.
Communication resilience
A pre-defined crisis communication plan is an essential element of the most effective self-assessments. This plan must be transparent and timely, covering all stakeholders, including customers, counterparties, regulators, and the broader public. Firms are actively testing the resilience of these communication channels, for example, by ensuring alternative channels exist should on-premises communication infrastructure be compromised.
"Operational resilience is an ongoing priority, requiring a strategic and dynamic approach to keep pace with the changing risk landscape and increasing third-party dependencies."
Effective practice: Recovery from high-severity disruption
The ability to recover quickly and completely from an attack is a critical area of focus, especially as a severe cyber-attack may disrupt multiple sites and destroy systems and backups.
Key recovery solutions include:
- Immutable Back-ups and Restoration Firms are investing in immutable back-up capabilities for data and applications, meaning the data cannot be changed, modified, or deleted once backed up. Subsequent testing ensures data can be restored to a usable, complete, and accurate state.
- Bare Metal Recovery Testing the ability to conduct a bare metal recovery in a clean environment is vital. This process ensures that the entire system (operating system, applications, and data) can be rebuilt from scratch without reliance on potentially compromised infrastructure or backups.
- Recovery Prioritisation Recognising the considerable time needed to restore significant volumes of data, some firms are prioritising the most critical data required to deliver important business services within impact tolerances, ensuring this can be recovered quickly.
- Segregated Tertiary Facilities: Many firms are using a separate, segregated, tertiary facility designed to be highly unlikely to be compromised simultaneously with production environments. Testing the ability to switchover to this tertiary site, or a stand-in service, is being actively performed.
Effective practice: Third-party cyber resilience
The reliance on third-party suppliers is a major complication, as assurance can diminish further down the supply chain, and firms often lack full sight of their suppliers' cyber resilience.
The most mature firms actively require their material third parties to have resilience capabilities equivalent to their own. Where this level of assurance is currently unobtainable, firms are pursuing alternative ways to remain within impact tolerances:
Where this level of assurance is currently unobtainable, firms are pursuing alternative ways to remain within impact tolerances:
Requiring the third-party to build its own resilience capability.
Developing the ability to fail over to an alternative third-party provider or to the firm's own systems.
Establishing sustainable manual workarounds for capabilities provided by the third party.
Building the capability to restore the service following data loss or destruction at the provider.
The importance of collective action
Beyond individual firm efforts, the regulators encourage engagement with collective action initiatives. The Cross Market Operational Resilience Group (CMORG) plays a key role, providing guidance, sharing intelligence on the cyber threat landscape, and conducting coordinated exercises to strengthen sector-wide resilience.
"In a continually evolving threat landscape, the regulators stress that operational resilience is not a one-off compliance activity but a dynamic process that must be regularly monitored, and boards must be kept apprised of their firm's self-assessments and ongoing work."
