Despite years of regulation, UK financial institutions continue to miss fundamental cybersecurity safeguards, with the Bank of England's 2025 CBEST assessments revealing persistent weaknesses in access controls, patch management, and social engineering defenses that mirror findings from previous years.
The Bank of England's latest cybersecurity review paints a concerning picture: years after regulators first identified critical vulnerabilities, UK financial institutions still struggle with basic cybersecurity controls. The 2025 CBEST report, co-authored by the Prudential Regulation Authority, Financial Conduct Authority, and Bank of England, shows that fundamental security gaps remain unaddressed across the sector.
What Happened: Persistent Failures in Basic Controls
The 2025 assessments, which included 13 CBEST evaluations and regulator-backed penetration tests for finance businesses, revealed that poor access controls and weak password practices remain common among both businesses and financial market infrastructures (FMIs). From a technical standpoint, misconfigured systems and inconsistent patch management were highlighted as recurring issues, alongside inadequate mechanisms for detecting intrusions and vulnerabilities.
The report explicitly states: "Given the sophistication of some attackers, it is important that firms and FMIs are prepared to handle breaches effectively, rather than relying solely on protective controls."
The Social Engineering Problem
CBEST assessments specifically focused on social engineering tactics, which criminals could successfully deploy against organizations with poor security cultures. Assessors concluded that phishing attacks would likely succeed in some cases, and that staff revealing sensitive information through social media and job descriptions represented a realistic threat.
FMIs lacking strict protocols for helpdesk operations—particularly identity verification for callers—proved vulnerable to attackers fraudulently accessing legitimate credentials. The National Cyber Security Centre (NCSC) identified this as "the bread and butter" of groups like Scattered Spider, a collective thought to comprise native English speakers and suspected of involvement in high-profile attacks on British businesses last year.
"They are known to use phishing and spear phishing to leverage established trust in organizations," the NCSC stated. "Therefore, it is important to ensure that all individuals in an organization are aware of potential tricks and methods to counter these attempts."
Regulatory Context and Legal Basis
The CBEST framework simulates the most severe and plausible threats to FMIs. The 2025 assessments tested regulated financial organizations against four attack themes observed frequently in real-world incidents throughout the year:
- Sophisticated and state-sponsored groups
- Compromised third parties and supply chains
- Malicious insiders
- Social engineering attacks
All four themes were identified as requiring improved resilience from regulated entities. The assessments don't introduce new regulatory requirements—UK financial institutions already face some of the world's most stringent cybersecurity regulations under GDPR, the Network and Information Systems (NIS) Regulations, and sector-specific FCA requirements.
Instead, CBEST serves as a guide for understanding common security gaps likely to lead to successful cyberattacks and potentially damaging consequences.
Historical Pattern: Same Issues, Different Year
Comparing 2025 results with previous years reveals a troubling pattern. The key weaknesses identified over the past 12 months were also primary issues in 2023 and 2024:
- Weak configurations
- Overly permissive access controls
- Ineffective network and vulnerability monitoring
- Staff susceptibility to social engineering and phishing
This repetition suggests that despite regulatory pressure and public reporting, fundamental security hygiene remains elusive for many organizations.
Some Progress: The MFA Improvement
Not all findings were negative. The report notes that organizations and FMIs "demonstrated a range of maturities across cyber threat intelligence (CTI) management domains," with most assessed entities having "relatively effective foundations" across CTI operating models. However, intelligence was often poorly integrated across business functions.
Most notably, multi-factor authentication (MFA) implementation showed marked improvement. The 2023 and 2024 reports highlighted struggles with rolling out effective MFA programs, but this control was notably absent from primary failures in the 2025 review.
Impact on Users and Companies
For consumers, these findings should be concerning. Financial institutions that fail to implement basic cybersecurity controls represent a direct risk to personal data and financial assets. The persistence of these vulnerabilities over multiple years suggests that regulatory pressure alone hasn't been sufficient to drive meaningful change.
For companies, the implications are significant:
Regulatory Risk: While CBEST assessments don't introduce new requirements, they document failures that could inform future enforcement actions under existing regulations like GDPR (Article 32) or the NIS Regulations.
Operational Risk: Persistent weaknesses in access controls, patch management, and social engineering defenses create ongoing exposure to cyberattacks that could disrupt operations or compromise sensitive data.
Reputational Risk: Public reporting of these failures, especially when they repeat year after year, damages trust with customers and partners.
Financial Risk: Beyond potential fines, successful attacks can lead to direct financial losses, remediation costs, and increased insurance premiums.
What Changes: The Path Forward
The Bank of England's message is clear: technical controls alone are insufficient. The report emphasizes that "in addition to technical measures, we continue to observe challenges in staff culture, awareness, and training."
For regulated entities, this means:
Beyond Compliance: Moving from checkbox compliance to genuine security resilience, focusing on controls that address the specific threats tested in CBEST assessments.
Cultural Shift: Implementing comprehensive security awareness programs that address social engineering, phishing, and the risks of information sharing on social media.
Process Rigor: Establishing and enforcing strict protocols for critical operations like helpdesk identity verification.
Integrated Intelligence: Ensuring cyber threat intelligence isn't just collected but actively integrated into business operations and decision-making.
Resilience Planning: Developing incident response capabilities that assume protective controls will fail, as the report suggests.
The repeated nature of these findings suggests that the financial sector needs more than just awareness—it needs systematic changes in how cybersecurity is prioritized, funded, and measured. As the NCSC's warning about groups like Scattered Spider demonstrates, the threat landscape continues to evolve, while basic security fundamentals remain unaddressed.
For the UK's financial sector, the question isn't whether these vulnerabilities exist—they're well-documented. The question is whether the industry will finally address them before a major incident forces the issue.
Read the full CBEST report on the Bank of England's website
NCSC guidance on social engineering attacks
Comments
Please log in or register to join the discussion