Bank of England: Strengthening operational and cyber resilience

The Bank of England’s Financial Policy Committee (FPC), represented by Liz Oakes, set out expectations for firms to strengthen operational and cyber resilience and described upcoming sector-wide testing.

• Main announcement: The FPC (via Liz Oakes) expects firms to establish robust risk management frameworks, embed impact tolerances, empower first-line crisis management, and participate in stress tests. This year the Bank will run SIMEX and CORST using a shared scenario testing a global disruption to a cloud service provider (CSP); a post-exercise SIMEX report will follow and the FPC will publish thematic findings from CORST in summer next year.
• Background and details: The speech references recent operational shocks (e.g., 200 nationally significant cyber incidents in 2025, up from 89 in 2024), the recently launched SWES focused on private markets, the role of the PRA and FCA in setting operational resilience policy (including mandated impact tolerances for critical payments), and that SIMEX and CORST run once every two years to test sector-wide and firm-level responses.