Bank of England, UK Prudential Regulation Authority and UK Financial Conduct Authority publish effective cyber response and recovery practices for systemic firms and FMIs

The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a paper highlighting effective practices they have observed in systemic firms’ and financial market infrastructures’ operational resilience self-assessments, focused on cyber response and recovery. The publication is intended to help firms strengthen their ability to respond to and recover from severe cyber disruptions, including incidents originating in material third-party suppliers, and to support board-level challenge on remaining within impact tolerances for important business services. Observed effective practices include testing highly destructive, high-severity scenarios and defining impact tolerances using metrics beyond disruption duration, such as value, volume, critical activity, end-users and payment types, particularly for services with potential systemic effects. Firms have prioritised delivering critical elements of services (including critical payments) through workarounds, minimum infrastructure restoration, or segregated alternative solutions, and have developed pre-defined crisis communications plans that are tested for resilience using alternative channels and replicated critical services. Recovery practices include immutable back-ups with restore testing, bare metal recovery in clean environments, prioritising critical data for rapid restoration, sequenced rebuilding of infrastructure and applications reflecting interdependencies, and testing switchover to segregated tertiary sites or stand-in services; for material third parties, mature approaches include seeking equivalent resilience assurance and building failover options, manual workarounds, or restoration capability after third-party data loss. The paper also points to sector-wide work via the Cross Market Operational Resilience Group (CMORG), including guidance in development on firm-level cyber recovery capabilities and a reconnection framework published in July 2025 that is scheduled to be tested through two CMORG-led exercises in H2 2025. The regulators note they will continue to request operational resilience self-assessments periodically.