The Bank of England Just Told You Your Financial Sector Can't Do Basic Cybersecurity. Again.
Every year, the Bank of England runs live cyberattack simulations against the UK's most systemically important financial institutions. Not tabletop exercises. Not questionnaires. Actual simulated attacks, on live production systems, conducted by CREST-accredited penetration testers working from real threat intelligence about how sophisticated actors actually operate.
The programme is called CBEST. It has been running since 2014. And every year, the Bank, the Prudential Regulation Authority, and the Financial Conduct Authority publish what they found.
The 2025 results are now published. I have read them carefully. Here is what they say.
What CBEST Actually Is
Before we get to the findings, it is worth being precise about what this programme represents, because the implications are significant.
CBEST is not a survey. It is not a self-assessment. Thirteen of the UK's most heavily regulated, most compliance-focused, most resource-rich financial institutions submitted to live penetration testing against real threat scenarios in 2025. The testers were given intelligence about the actual tactics, techniques, and procedures used by sophisticated and state-sponsored threat actors. They then applied those techniques to live systems, in live environments, with real data.
These are the institutions that employ entire departments of security professionals. Institutions that are subject to more regulatory oversight than virtually any other sector in the UK economy. Institutions that have every incentive, financial and reputational, to get this right.
The 2025 findings document what testers were able to do to them.
The Findings: Three Years, Same Story
The CBEST 2025 thematic report identifies findings across five areas of cybersecurity. Three address technical controls. One addresses detection and response. One addresses staff culture, awareness, and training.
Across the 13 assessments, the report identified: overly permissive access controls, including inadequate role-based access management. Weak credential hygiene, including passwords stored in plain text. Misconfigured and inconsistently patched systems. Ineffective network monitoring and vulnerability detection. And staff who remained susceptible to social engineering and phishing.
These are not novel findings. They are the same findings from the 2024 report. And the 2023 report.
The Register's coverage of the 2025 publication noted this directly: weak configurations, overly permissive access controls, ineffective network and vulnerability monitoring, and staff susceptible to social engineering and phishing were all features of the BoE's reports from 2023 and 2024.
Three consecutive years. The most regulated sector in the UK economy. The same basic failures, documented, reported, and evidently not remediated.
The regulators themselves note in the 2025 foreword that firms need to address "the underlying causes" of risk rather than apply temporary patches. That is a carefully worded statement from a regulatory authority. What it means, plainly, is that organisations are patching symptoms without fixing root causes, and the same vulnerabilities are reappearing in the next assessment cycle.
What "Basic" Actually Means Here
I want to be specific about the nature of these failures, because there is a tendency to hear "cybersecurity issues at financial firms" and imagine sophisticated nation-state intrusions defeating advanced defences.
That is not what is being described.
Passwords stored in plain text means that when a tester gained access to one system, credential files were readable without any additional effort. Overly permissive access controls means that accounts had far more access than their function required, so a single compromised account could move laterally across the network. Ineffective vulnerability monitoring means that known vulnerabilities, ones with published patches, were sitting on live systems unaddressed.
These are the findings Cyber Essentials was designed to prevent. The NCSC's free guidance addresses all of them. They are not arcane. They are not expensive to fix. They are the cybersecurity equivalent of leaving the office unlocked.
And they are present, repeatedly, in institutions managing billions of pounds of assets and millions of customers' personal financial data.
The Economic Consequence Is Not Hypothetical
In September 2025, Jaguar Land Rover suffered a cyberattack attributed to the criminal group Scattered Lapsus Hunters. Production stopped at UK plants for weeks. The Cyber Monitoring Centre categorised the incident as a systemic event. The estimated cost to the UK economy reached £1.9 billion. Over 5,000 organisations across JLR's supply chain were affected.
The Bank of England cited the attack in its November 2025 Monetary Policy Report as a contributing factor to lower-than-expected UK GDP growth in Q3 2025. ONS data showed motor vehicle manufacturing alone shaved 0.17 percentage points off GDP in September, contributing to a contraction that month.
Marks and Spencer's April 2025 attack, attributed to the same criminal ecosystem, resulted in cyber-related costs the company warned could reach £300 million by year-end.
These are not data points from the theoretical threat landscape. They are direct economic consequences of cybersecurity failures at large organisations, measured in hundreds of millions of pounds and reported in the Bank of England's official publications.
The question is not whether cybersecurity failures cause material economic harm. The Bank of England has now answered that question definitively. The question is what to do about it.
The SMB Implication: Your Financial Ecosystem
Here is the line of reasoning that I want to walk through deliberately, because it matters for every small business in the UK.
Your business interacts with the financial sector constantly. Your bank processes your transactions. Your payroll provider holds your staff's financial data. Your accountant's firm stores your financial records. Your insurer has assessed your risk profile. Your bookkeeper may have access to your accounts receivable.
CBEST does not assess small businesses. It assesses systemically important financial institutions. But the security posture of the organisations your business depends on is not independent of your own risk exposure. When your accountant's network has overly permissive access controls and unpatched systems, and a threat actor compromises it, your financial data is in that network.
This is what the supply chain risk argument looks like in the financial services context. The CBEST findings tell you something concrete about the baseline security maturity of even well-resourced, heavily regulated organisations. The gap between that baseline and the average small professional services firm's security posture is, in most cases, significant.
The NCSC and the Bank of England's joint position, reflected in the CBEST thematic, is that staff training, patch management, credential hygiene, access controls, and monitoring are the foundations. Not aspirational goals: the foundations. If those foundations are absent at well-funded institutions under regulatory supervision, they warrant serious scrutiny at the organisations your business trusts with its financial data.
How to Turn This Into a Competitive Advantage
The CBEST report is public. The findings are published. Most of your competitors have not read it and will not read it.
You can.
If your business operates in professional services, financial advisory, legal, or any sector where clients trust you with sensitive financial information, the CBEST findings give you a concrete basis for differentiating your security posture. The specific weaknesses identified, password hygiene, access controls, patch management, staff training, are all addressable through a structured approach aligned to Cyber Essentials.
Cyber Essentials certification directly addresses four of the five CBEST finding categories. If your business is certified, and you understand why, you can make a credible, specific claim to clients: that you have independently verified controls against exactly the vulnerabilities that regulators are finding in financial institutions.
That is not a marketing assertion. It is a verifiable, certified security position. In a sector where clients increasingly ask about data protection and supplier security, that distinction is commercially meaningful.
How to Sell This to Your Board
Frame the risk in economic terms the board understands:
The Bank of England has now published that a single cyberattack on one manufacturer cost the UK economy £1.9 billion and affected 5,000 organisations in its supply chain. M&S's attack cost up to £300 million. These are not edge cases: they are the most prominent examples from a year in which the NCSC reported nationally significant attacks rose from 89 to 204.
The regulatory trajectory is clear:
The BoE/FCA/PRA foreword to the 2025 CBEST report explicitly calls for organisations to address underlying causes. The NCSC's annual review called out a lack of urgency. The Cyber Resilience Bill, expected to begin phased enforcement from 2026, will extend regulatory reach to managed service providers. The direction of travel is toward greater accountability, not less.
The board ask is specific and proportionate:
Mandate a gap assessment against the five CBEST finding categories: access controls, credential management, patch management, detection and monitoring, and staff training. Cyber Essentials provides a structured framework for the first four. A staff phishing simulation addresses the fifth. Neither requires a large capital investment. Both produce documented evidence of due diligence.
The cost of not doing this is not abstract. It is now documented in the Bank of England's official publications and measured in GDP contraction.
What This Means for Your Business
Audit your access controls this month. Who has access to what? Does every account have only the access it genuinely requires? Overly permissive access is the finding that appears most consistently in CBEST reports because it is the one that enables attackers to move laterally once they are inside.
Check your credential hygiene. Are any passwords stored in plain text, spreadsheets, or shared documents? If you are using a password manager for your business, verify that staff are actually using it. If you are not, deploy one.
Verify your patch status. When did your systems, routers, firewalls, and software last receive security updates? If the answer involves any uncertainty, that is your answer.
Assess your third-party financial relationships. Your bank, accountant, payroll provider, and insurer all hold sensitive data about your business. Do you know their security posture? Have you asked? Supplier security questionnaires are a legitimate and increasingly standard part of commercial due diligence.
Consider Cyber Essentials certification. It is the UK government's baseline certification framework. It directly addresses the recurring CBEST weaknesses. It is independently verified. And it signals to clients, insurers, and partners that you have not left the foundational controls unaddressed.
The Bank of England publishes the same findings three years running because organisations are not fixing the root causes. That pattern does not have to continue in your business.
| Source | Article |
|---|---|
| Bank of England | 2025 CBEST Thematic Report |
| Bank of England | 2024 CBEST Thematic Report |
| Bank of England | 2023 CBEST Thematic Report |
| The Register | BoE: UK finservs still lacking on basic cybersecurity |
| American Banker | UK cyber tests show banks' struggle with cybersecurity basics |
| ISMS.online | UK Financial Services Firms Are Still Failing the Basics, the BoE Warns |
| The Register | Bank of England says JLR's cyberattack contributed to UK's unexpectedly slower GDP growth |
| Cyber Monitoring Centre / NBC News | The hack on Jaguar Land Rover was so bad that it hurt the UK's GDP |
| NCSC | NCSC Annual Review 2025: Nationally significant attacks up 50% |
