- Key insight: Unlike the U.S. focus on tabletop exercises, U.K. regulators mandate live-fire attacks on actual bank systems to uncover real-world weaknesses.
- Expert quote: “This year, our findings continue to highlight gaps in firms’ foundational cyber defenses,” U.K. regulators wrote in the 2025 report.
- What’s at stake: U.S. regulators have warned that a single cyber failure could cause “widespread and cascading effects” across the financial sector.
Overview bullets generated by AI with editorial review
Processing Content
New findings from the Bank of England’s 2025 cybersecurity stress tests reveal that despite rigorous, intelligence-led simulations on live banking systems, the United Kingdom’s most critical financial institutions still struggle with foundational cyber hygiene.
The findings offer a stark point of comparison for U.S. banks, which comply with regular assessments by regulators that pale in comparison to the live-fire testing that U.K. regulators use on the country’s banks.
While U.S. regulators encourage tabletop exercises, the U.K. regulator mandates that its largest institutions withstand simulated attacks on their actual production environments, providing a real-time look into the vulnerabilities that plague the global financial system.
For U.S. banks, the U.K. results underscore the persistence of basic security gaps — in particular, weak patch management and identity controls — even within the world’s most regulated institutions.
“This year, our findings continue to highlight gaps in firms’ foundational cyber defenses,” U.K. regulators wrote in the report released this week.
The results from live cyber supervision
The U.K.’s banking regulators — the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority — together use a testing framework known as CBEST, which unlike traditional audits uses threat-led penetration testing that mimics the behaviors of real-world cyber attackers.
Testers perform these simulations on the live production systems of the institutions to assess their actual detection and response capabilities, and regulators require these exercises for firms and financial market infrastructure companies deemed systemically important to the country’s financial sector.
CBEST is designed to ensure that these key institutions “can continue to deliver their important business services during severe but plausible” disruption, according to the CBEST implementation guide.
The 2025 analysis of these tests found that firms often failed to maintain “strong configuration practices” and lacked “strong cryptographic protections for data-at-rest,” according to this year’s report.
Common weaknesses the CBEST report identified include “having overly permissive access controls,” such as inadequate role-based access, and “not maintaining strong credential hygiene practices,” which includes storing passwords in plain text, according to the report.
Furthermore, the testing revealed that staff remain susceptible to social engineering. The report notes instances of “staff being manipulatable by social engineering that seeks to discover passwords or token codes,” often facilitated by employees over-exposing sensitive data on social media platforms.
The closest equivalent by American regulators
Across the Atlantic, while U.S. regulators do not completely avoid cybersecurity exercises — for example, the Treasury Department
While “the strength of the federal banking system remains sound,” at the same time, “cyber threats remain a concern” according to an Office of the Comptroller of the Currency
In its semiannual
The Financial Stability Oversight Council echoes this in its 2025 annual report, noting that “cyber incidents have not resulted in a significant systemic event for the U.S. financial services sector to date,” but warning that the potential consequences include “large-scale service disruptions” and “challenges with accessing liquidity.”
CISA and the global standard
While the regulatory regimes differ, the intelligence fueling these tests often originates from the same sources. The U.K. testing framework relies heavily on global vulnerability data to design realistic threat scenarios.
A primary source of this data is the Common Vulnerabilities and Exposures, or CVE, program. The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, funds the CVE program, which serves as a global baseline for identifying software security holes.
CISA’s funding for the CVE program nearly lapsed earlier this year, when the agency decided to issue an 11-month funding renewal the night before it was set to expire.
Out of the crisis grew
Banks around the world, including those in the U.K., integrate CVE data into their patch management programs to ensure they are not exposed to publicly known weaknesses. However, the “2025 CBEST thematic” report notes that despite access to this intelligence, firms struggled with “insufficiently hardened or unpatched systems,” leaving them vulnerable to known exploits.
This mirrors guidance from the U.S. Federal Deposit Insurance Corp., which advises banks to use databases such as those provided by CISA to monitor for patches they need to apply.
Regulatory styles: Prescriptive vs. outcome-based
A key difference between the U.K. and U.S. regulatory environments governing bank cybersecurity lies in the execution of supervision.
The U.K. model, through CBEST, employs an “outcome-based assessment” of technical capabilities. The regulators view CBEST as a “guiding framework rather than a detailed prescriptive methodology,” allowing firms flexibility in how they achieve resilience so long as they can demonstrate it under simulated fire.
In contrast, U.S. regulators are currently attempting to pivot away from what has historically been viewed as a process-heavy approach.
“We cannot continue to push policies and supervisory expectations designed for the largest banks down to smaller, less risky, and less complex banks,” said Michelle Bowman, a governor on the Federal Reserve Board, in December 2025 testimony.
Bowman advocated for a supervisory framework that focuses on “material risks to bank operations,” rather than “immaterial issues that divert attention from core safety and soundness.”
Furthermore, the U.S. Financial Stability Oversight Council last month
While tabletop exercises simulate decision-making during a crisis, they do not necessarily involve the technical exploitation of live production servers that characterizes the U.K.’s CBEST program.
So which does cyber better? U.S. or U.K.?
Determining whether the U.K. or U.S. banking sector has a more robust cybersecurity stance is difficult given the opacity of specific banks’ results in the CBEST report and the lack of equivalent testing by U.S. regulators. However, the U.K.’s CBEST program offers a level of empirical validation regarding resilience that standard examination processes can miss.
The 2025 CBEST report concludes that “tactical fixes alone are insufficient” and that quick remediation often leaves “underlying weaknesses unaddressed,” a conclusion similar to that of U.S. regulators that governance is paramount to bank cybersecurity.