Bank of England: Financial sector failing to implement basic cybersecurity controls

Concerned about the orgs that safeguard your money? The UK's annual cybersecurity review for 2025 suggests you should be. Despite years of regulation, financial organizations continue to miss basic cybersecurity safeguards.

The latest findings come from the CBEST report, which was co-authored by representatives from the Prudential Regulation Authority, Financial Conduct Authority, and Bank of England.

Taking 2025's most prominent findings from 13 CBEST assessments and regulator-backed pentests for finance businesses, BoE found weaknesses like poor access controls and passwords were common among businesses and financial management infrastructures (FMIs).

From a technical perspective, misconfigured and inconsistently patched systems were highlighted as recurring issues, as were mechanisms for detecting potential intrusions and vulnerabilities.

The report noted: "Given the sophistication of some attackers, it is important that firms and FMIs are prepared to handle breaches effectively, rather than relying solely on protective controls. 

"In addition to technical measures, we continue ...