Key Takeaways:
- The U.K. regulators’ approach to cybersecurity testing, known as CBEST, involves live-fire attacks on actual bank systems to uncover real-world weaknesses.
- The U.S. regulators focus on tabletop exercises and governance, which may not provide the same level of empirical validation as the U.K.’s approach.
- The 2025 CBEST report found that firms struggled with basic security gaps, including weak patch management and identity controls.
- The U.K. and U.S. regulatory environments differ in their approach to supervision, with the U.K. employing an outcome-based assessment and the U.S. attempting to pivot away from a process-heavy approach.
- The U.S. Financial Stability Oversight Council has endorsed the use of scenario-driven tabletop exercises to assess crisis preparedness, but these exercises do not involve the technical exploitation of live production servers.
Introduction to Cybersecurity Testing
The Bank of England’s 2025 cybersecurity stress tests have revealed that despite rigorous, intelligence-led simulations on live banking systems, the United Kingdom’s most critical financial institutions still struggle with foundational cyber hygiene. The findings offer a stark point of comparison for U.S. banks, which comply with regular assessments by regulators that pale in comparison to the live-fire testing that U.K. regulators use on the country’s banks. The U.K. regulator mandates that its largest institutions withstand simulated attacks on their actual production environments, providing a real-time look into the vulnerabilities that plague the global financial system.
The U.K.’s CBEST Framework
The U.K.’s banking regulators use a testing framework known as CBEST, which unlike traditional audits uses threat-led penetration testing that mimics the behaviors of real-world cyber attackers. Testers perform these simulations on the live production systems of the institutions to assess their actual detection and response capabilities, and regulators require these exercises for firms and financial market infrastructure companies deemed systemically important to the country’s financial sector. CBEST is designed to ensure that these key institutions "can continue to deliver their important business services during severe but plausible" disruption. The 2025 analysis of these tests found that firms often failed to maintain "strong configuration practices" and lacked "strong cryptographic protections for data-at-rest."
Common Weaknesses Identified
The CBEST report identified common weaknesses, including "having overly permissive access controls," such as inadequate role-based access, and "not maintaining strong credential hygiene practices," which includes storing passwords in plain text. Furthermore, the testing revealed that staff remain susceptible to social engineering, with instances of "staff being manipulatable by social engineering that seeks to discover passwords or token codes," often facilitated by employees over-exposing sensitive data on social media platforms. The report notes that these weaknesses are often the result of insufficiently hardened or unpatched systems, leaving them vulnerable to known exploits.
Comparison to U.S. Regulatory Approach
Across the Atlantic, U.S. regulators do not completely avoid cybersecurity exercises, but they tend to focus on governance and third-party risk. The Treasury Department announced that it would co-host tabletop exercises offered to small banks, but these exercises do not involve the technical exploitation of live production servers that characterizes the U.K.’s CBEST program. The U.S. Financial Stability Oversight Council has endorsed the use of scenario-driven tabletop exercises to assess crisis preparedness, but these exercises simulate decision-making during a crisis rather than involving the technical exploitation of live production servers.
Regulatory Styles: Prescriptive vs. Outcome-Based
A key difference between the U.K. and U.S. regulatory environments governing bank cybersecurity lies in the execution of supervision. The U.K. model, through CBEST, employs an "outcome-based assessment" of technical capabilities, allowing firms flexibility in how they achieve resilience so long as they can demonstrate it under simulated fire. In contrast, U.S. regulators are currently attempting to pivot away from what has historically been viewed as a process-heavy approach. The U.S. Financial Stability Oversight Council has endorsed the use of scenario-driven tabletop exercises to assess crisis preparedness, but these exercises do not necessarily involve the technical exploitation of live production servers.
Which Approach is More Effective?
Determining whether the U.K. or U.S. banking sector has a more robust cybersecurity stance is difficult given the opacity of specific banks’ results in the CBEST report and the lack of equivalent testing by U.S. regulators. However, the U.K.’s CBEST program offers a level of empirical validation regarding resilience that standard examination processes can miss. The 2025 CBEST report concludes that "tactical fixes alone are insufficient" and that quick remediation often leaves "underlying weaknesses unaddressed," a conclusion similar to that of U.S. regulators that governance is paramount to bank cybersecurity.
Conclusion
In conclusion, the U.K.’s approach to cybersecurity testing, known as CBEST, provides a level of empirical validation regarding resilience that standard examination processes can miss. The U.S. regulators’ focus on tabletop exercises and governance may not provide the same level of validation, and the U.S. banking sector may benefit from adopting a more outcome-based approach to supervision. The 2025 CBEST report highlights the importance of addressing basic security gaps, including weak patch management and identity controls, and the need for a more comprehensive approach to cybersecurity testing. Ultimately, the U.K.’s CBEST program offers a model for other countries to follow in their efforts to strengthen the cybersecurity of their banking sectors.
