Financial Policy Committee releases recommendation to FCA on cyber risk

July 22, 2015

The Financial Policy Committee at the Bank of England have cited cybersecurity as a key risk in their 2015 Financial Stability Report released earlier this month, they have also recommended that the PRA and FCA adopt regular cyber resilience assessment for the UK financial system:

‘The FPC considers it vital that work on cyber resilience continues. The first step in mitigating cyber risk is to have an accurate understanding of where the system’s vulnerabilities lie. At its meeting in June 2015, the FPC therefore replaced its existing cyber Recommendation with the following Recommendation targeted at completing the current set of CBEST tests and making them a  regular part of supervision:
The FPC recommends that the Bank, the PRA and the FCA work with firms at the core of the UK financial system to ensure that  they complete CBEST tests and adopt individual cyber resilience action plans. The Bank, the PRA and the FCA should also establish  arrangements for CBEST tests to become one component of regular cyber resilience assessment within the UK financial system.’
CBEST is a cybersecurity testing framework that the Bank of England introduced in 2014 targeted at firms deemed to be at the ‘core’ of the UK financial system. It is a holistic assessment of a financial services or infrastructure provider’s cyber capabilities which goes beyond traditional penetration testing and includes people, process and technology.
To date, the FCA has not released specific guidance or a requirement for testing for firms under their remit, however we expect this to change over the next 12 months given this recommendation from the FPC.
The Cyber Risk section of the Financial Stability Report is available for download from the Bank Of England’s website here:
ACA Aponix are specialists in the assessment of cybersecurity and IT risk for investment managers. Staffed by senior financial technologists with a deep understanding of the investment management business and technology, we apply a holistic, analytical and thoughtful approach to identifying and remediating risk in order to improve our client’s security posture. Our cybersecurity and technology risk assessments are designed specifically for investment management firms and cover everything from network infrastructure to the trade workflow process. For more information, please contact James Tedman  (email:, tel: 020 7042 0500).