October 29, 2025

|

by: kiran

|

Tags: "Regulation"

Building Cyber Resilience: Lessons from the Bank of England, PRA and FCA’s Latest Guidance

On 20 October, the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) jointly published Effective Practices: Cyber Response and Recovery Capabilities.

The paper presents observed good practices from operational resilience self-assessments across systemic firms and financial market infrastructures. It provides valuable insight into how leading organisations are strengthening their ability to respond to and recover from cyber incidents.

Why It Matters

Cyber-attacks remain one of the most significant threats to the financial sector, you only need to look at the recent £14m Capita fine for cyber failures to appreciate this. Regulators are encouraging all firms, including insurers and intermediaries to review these practices and enhance their own cyber resilience.

For insurance sector firms already subject to operational resilience requirements, the paper offers a clear view of regulatory expectations for managing severe cyber disruptions, supporting both firm stability and the wider integrity of the financial system.

Key Highlights 

Severe Scenario Planning
Firms are increasingly simulating destructive cyber-attacks by highly capable threat actors and expanding scenarios to cover multiple important business services.

Mature firms set impact tolerances beyond simple downtime including metrics like transaction volume, value, critical activities and number of end-users to define the minimum service levels needed to prevent harm to consumers and markets. This broader view ensures resilience targets align with potential systemic impacts.

Alternative Service Delivery
To stay within impact tolerances during a severe attack, firms have developed contingency solutions for critical services. Some firms, for instance, identified vital payments that must continue and built the capability to process them even if primary systems fail for example, through minimal infrastructure restoration or switching to segregated backup systems.

Crisis Communications & Continuity
Effective response plans include predefined communication strategies to deliver timely, transparent updates during and after a cyber-attack. Leading firms ensure all stakeholders customers, counterparties, regulators and markets are kept informed, and they regularly test the resilience of communication channels.

Robust Data Recovery Capabilities
Many firms have accelerated investment in data backup and restoration. Effective practices include maintaining immutable backups for critical data and applications and testing recovery frequently. Clear internal plans prioritise which systems to rebuild first, accounting for dependencies to restore essential services swiftly.

Tertiary Resilience Solutions
Some firms are introducing separate, segregated tertiary sites or backup platforms that attackers cannot easily access. Regular testing ensures a smooth and rapid switch-over if primary systems are compromised.

Third-Party Cyber Preparedness
Recognising that outsourcing can create vulnerabilities, leading firms ensure critical third-party providers maintain resilience standards equivalent to their own.  Especially relevant considering the recent Capita breach.

Regulatory Programme of Action – CMORG and Sector-Wide Collaboration

The regulators emphasise that cyber resilience is not just a firm-level issue but a sector-wide priority.

The Cross Market Operational Resilience Group (CMORG) a joint industry-regulator forum plays a pivotal role in this collaboration. CMORG regularly issues guidance to help firms meet resilience requirements, updating it as the industry shares lessons learned.

Currently, CMORG is developing new guidance on designing and delivering firm-level cyber recovery capabilities, aimed at helping both individual firms and the wider sector prepare for severe scenarios.

Firms are also collaborating to share insights on their most important third-party providers and exploring solutions to mitigate concentration risks (for example, when many firms rely on the same critical supplier). While adopting CMORG guidance is voluntary, regulators strongly encourage participation in these initiatives.

Next Steps for Firms

Insurance firms and intermediaries should take proactive steps to integrate these findings into their cyber and operational resilience frameworks:

  • Board Oversight & Governance – Ensure boards and senior management actively review cyber response readiness. Boards should challenge whether impact tolerances (for example, for claims processing or policy management) are set appropriately and seek assurance that plans can maintain services within those limits during an extreme cyber event.
  • Severe Scenario Testing – Include extreme but plausible cyber-attack scenarios in regular testing and exercises. Use lessons learned to update playbooks and strengthen teamwork during crises.
  • Enhance Recovery Planning – Assess data recovery arrangements against regulatory best practice. Identify which services and data are top priority for recovery and ensure restoration plans are tested and time-bound.
  • Third-Party Assurance – Review the cyber resilience of critical outsourcing partners. Take lessons from the recent Capita breach and engage providers to confirm robust response and recovery capabilities, and where gaps exist, establish contingency plans.
  • Crisis Communication Drills – Strengthen incident communication plans. Prepare clear messaging for customers, markets and regulators in the event of a breach.
  • Sector Engagement – Stay informed about CMORG and other resilience initiatives. Active engagement helps firms benchmark against peers and anticipate future expectations.

By embedding these actions, firms not only enhance their cyber defences but also contribute to the broader stability and trust of the UK financial system a point regulators have consistently underscored.

How Padda Consulting Can Help

We specialise in regulatory compliance and operational resilience, supporting insurance firms in assessing and enhancing their cyber response and recovery capabilities in line with the latest regulatory guidance.

  • Cyber Resilience Gap Analysis – Independent review of your firm’s cyber incident response and recovery plans, benchmarked against the effective practices identified by regulators.
  • Recovery Architecture Support – Assistance in developing robust data recovery, continuity and fallback solutions.
  • Third-Party Resilience Reviews – Evaluation of key outsourcing arrangements and vendors’ recovery capabilities, with strategies to address weaknesses and strengthen contractual oversight.
  • Policy & Framework Development – Updating internal policies, self-assessment frameworks and documentation to reflect evolving regulatory expectations.

Our experts combine deep regulatory insight with practical resilience design helping firms not only meet FCA and PRA expectations but also build lasting operational resilience and client confidence.

To discuss how Padda Consulting can help your firm strengthen its cyber response and recovery capabilities, get in touch with our team.