Financial services operate in one of the most heavily regulated environments in the world, and yet the failures identified in FCA cybersecurity reviews often have little to do with whether a firm understands the rules. Most institutions can recite the familiar acronyms — SYSC, SMCR, PRIN, and the operational resilience framework — with ease. They maintain long policies, keep tight control registries, and present cyber strategies to their boards each year. But understanding the rules and demonstrating lived compliance with the underlying expectations are very different things.
The FCA’s cyber scrutiny in 2025 reflects this distinction more clearly than ever. The regulator has grown increasingly direct about the root causes of harm and disruption, placing far more emphasis on behaviour, culture, and decision-making than on whether a control appears in a policy document. Technology still matters — it always will — but the FCA’s most persistent observations point not to firewalls or encryption gaps, but to the ways people interpret risk, the confidence they have in escalation pathways, and the extent to which cyber resilience is embedded into the rhythms of the organisation rather than its paperwork.
This shift has caught many firms off-guard. Not because the expectations are new, but because the regulator is now asking firms to evidence something they have never been particularly good at explaining: how cybersecurity is actually lived inside the business, hour by hour, decision by decision.
A Strategy Is Not a Story of Resilience
Almost every FCA-regulated firm has a cyber strategy today. Many are well written and technically sound, with diagrams, maturity models and multi-year roadmaps. Yet the FCA continues to discover that these strategies are often disconnected from the behaviours and decisions that define resilience in practice. Boards approve strategies they cannot meaningfully articulate, or they sign off on risk appetites that do not reflect the reality of how the organisation perceives risk day to day.
This isn’t dishonesty — it’s a sign of a cultural gap that the FCA now treats as a supervisory risk in its own right. A strategy that lives primarily on slides or in governance packs cannot influence operational decisions. It can only describe aspirations. The FCA’s frustration emerges when those aspirations are repeatedly contradicted by what staff say during interviews, what logs reveal during audits, and what incident simulations uncover.
The regulator expects a cyber strategy to function as a shared story of resilience rather than a static document. When senior managers cannot explain the narrative behind their own cyber posture — why certain controls matter most, how particular threats could cause disruption, or what makes the firm uniquely vulnerable — the FCA questions whether the strategy has real oversight or merely formal approval.
This is where financial services often struggle. Governance structures are dense. Policies multiply. Presentations are polished. But narrative coherence — the ability to explain risk in a way that connects technology, behaviour, culture, and supervision — remains rare. And without this, even the most sophisticated strategies fail to move the organisation into the territory the FCA expects: a place where cyber resilience informs decisions and shapes behaviour long before something goes wrong.
Risk Management That Describes Threats Instead of Understanding Them
The FCA’s expectations around cyber risk management have grown more demanding because incidents have become more complex. Modern cyberattacks exploit human decisions, third-party dependencies, system interconnections, and operational pressure points. Yet many firms still assess cyber risk in a way that belongs to an earlier era, where threats could be neatly defined and neatly assigned to a technology function.
Regulatory reviews repeatedly reveal risk assessments that are technically thorough but behaviourally shallow. They list threats, score likelihoods, document mitigations, and reference frameworks — but they do not explain why certain risks crystallise so easily inside the organisation or how human decision-making magnifies or reduces vulnerability. Firms describe what the threat is, but not why it matters, how it travels through the organisation, or where it interacts with culture, knowledge, and everyday work.
This disconnect is not academic. The FCA views cyber risk as inseparable from business risk. A phishing email that bypasses controls becomes a conduct issue when client funds are put at risk. A ransomware incident becomes an operational resilience issue when critical services are disrupted. A misconfigured access control becomes a governance issue when the firm cannot explain why it remained unaddressed.
Firms often underestimate how much the regulator can infer from the way risk is described. When human-factor risks appear as an afterthought, or when behavioural vulnerabilities are grouped under generic headings without deeper exploration, the FCA concludes that the firm does not yet understand the risk landscape it claims to manage. And when risk assessments rely heavily on inherited scoring models, outdated assumptions, or third-party assurances that do not reflect the firm’s actual use case, the regulator sees a growing gap between the documentation and the lived reality of operations.
Cyber risk management has matured in technical sophistication but has not yet matured in behavioural understanding. This is the cultural friction the FCA continues to highlight.
Training That Exists in Records but Not in Behaviour
Perhaps the most consistent message in recent FCA communications is the regulator’s frustration with staff awareness. The FCA has stated several times that poor staff awareness remains one of the highest drivers of harm, yet many firms still equate training with compliance: an annual module, a set of slides, a short quiz, maybe a phishing simulation. These activities look good in audit, but they rarely influence behaviour in a way the regulator finds reassuring.
Firms with strong technical capabilities often assume their biggest cyber risks sit in their systems or infrastructure. In reality, the FCA sees the opposite. It sees risk in the places where staff hesitate to escalate something suspicious, where teams assume “IT will take care of it,” where controls are bypassed under pressure, or where individuals feel embarrassed to report a mistake. These moments matter more than any technology control because they determine whether the firm contains an incident early or becomes the subject of an enforcement case months later.
One of the strongest indicators of a cultural gap is the disconnect between what policies say employees should do and what employees believe they are expected to do in practice. During reviews, the FCA often encounters staff who remember fragments of training but cannot apply them to realistic scenarios. They recognise terms but not consequences. They know what a phishing email is but are unsure what happens after they report one, or whether reporting will slow them down, or whether escalating a false alarm will reflect badly on them.
This gap between knowledge and confidence is where resilience breaks first.
The FCA does not expect every employee to be technically proficient, but it does expect them to understand their personal responsibility for cyber resilience. When firms rely on tick-box training that focuses on information rather than judgement, the regulator sees a cultural weakness — not a training weakness. It is a subtle but essential distinction.
Technology Controls That Work in Theory but Drift in Practice
Even technically mature firms experience drift between how controls are designed and how they are used. Privileged access frameworks erode over time, exceptions accumulate informally, and monitoring capabilities expand without the corresponding increase in human capacity to interpret alerts. Backups exist but are never tested under the pressures of a real incident. MFA policies include discretionary exemptions that no-one can clearly justify.
These issues rarely arise through negligence. Instead, they emerge from the organisational dynamics that the FCA studies closely: operational pressure, resource constraints, siloed communication, knowledge gaps, and the natural human tendency to prioritise immediate tasks over long-term safeguards.
When the FCA reviews technology controls, it is not only concerned with whether the controls exist. It wants to understand how consistently they operate under real conditions, how quickly deviations are identified, how conflicts are resolved, and how well people understand the chain of responsibility. A control that only works when everything else is calm is not resilient. And a control that is technically enforced but poorly understood may create as much risk as it mitigates.
The regulator’s expectations here often reveal a deeper truth: cyber resilience cannot rely on the existence of controls but on the coherence of the environment in which those controls operate. That environment is cultural, behavioural, and organisational — not technical.
The Expanding Complexity of Third-Party Risk
The modern financial services ecosystem is interdependent. Firms rely on cloud platforms, payment processors, authentication services, data aggregators, and outsourced operational partners. Each brings additional capability — and additional vulnerability. The FCA’s supervisory reviews frequently highlight that firms treat third-party risk as a procurement responsibility rather than a core component of their cyber posture.
Large service providers often produce impressive assurance artefacts, but these documents are rarely tailored to the specific ways the firm uses the service. A SOC report or penetration test does not guarantee resilience if the firm’s configuration, access model, or data flows introduce new risks. And when an outsourced service performs a critical function, any disruption becomes the firm’s problem, regardless of whether the firm believes it has “done due diligence.”
This is where the FCA’s expectations differ from many firms’ internal assumptions. The regulator expects not only contractual clarity but operational understanding. It expects firms to know what would happen if a provider were compromised, how quickly they could switch to alternatives, and how they would maintain continuity. It expects firms to examine not just the provider but the behavioural assumptions inside their own organisation — assumptions such as “the vendor will manage that” or “they are a big brand; they must be secure.”
Cyber incidents in recent years have shown that size does not imply resilience. And the FCA’s messaging increasingly reflects that reality.
Incident Response: The Moment Where Culture Is Exposed
Incident response plans often look robust. They identify contacts, outline escalation paths, and describe recovery steps. Yet during FCA testing, the cracks usually appear within minutes. Plans assume clarity that never exists during real incidents. Responsibilities overlap or contradict. Decision-making becomes hesitant. Teams wait for approval from individuals who are unavailable or not fully briefed.
Most importantly, people behave differently in simulations than they do in calm discussions about policy. The FCA places significant weight on how staff react under pressure: whether they escalate early, whether they are comfortable making decisions when information is incomplete, and whether they understand when an event crosses the threshold of regulatory notifiability.
This is where organisational culture becomes visible. Some firms foster environments where mistakes are hidden, not raised. Others promote escalation only when certainty exists — which is almost never during the first stage of a cyber incident. And some firms rely heavily on deeply knowledgeable individuals rather than resilient processes, meaning that the absence of a single person can slow or derail the entire response.
The FCA’s view is straightforward: incident response maturity is one of the strongest indicators of overall operational resilience. A firm’s behaviour during the first 30 minutes of an incident reveals more about its culture than its policies ever will.
Why Firms Still Miss the FCA’s Expectations
The persistent gaps identified by the FCA are rarely caused by a lack of skill or a lack of will. They arise because cybersecurity intersects with human behaviour in ways regulation cannot fully codify. People underestimate slow-burning risks, because nothing bad has happened yet. They develop informal workarounds in the name of efficiency. They assume responsibility sits elsewhere because the organisation has never made that responsibility feel personal. They report what seems safe to report and avoid what carries reputational discomfort.
Firms then create policies that aim to address these behaviours, but without embedding the cultural foundations that support compliance in moments of uncertainty. As a result, policies become maps that no longer match the territory. And the FCA sees this mismatch within minutes of entering a firm’s environment.
Cyber resilience requires more than controls. It requires shared understanding, psychological safety, clear decision-making structures, and a lived sense of responsibility across the organisation. These qualities cannot be mandated through rules, but the FCA evaluates them through supervision — and increasingly treats them as indicators of financial and operational integrity.
Bridging the Gap: A Different Kind of Resilience
For firms seeking to align more closely with the FCA’s expectations, the starting point is not additional documentation but a deeper understanding of how resilience actually functions inside the organisation. Cyber posture improves when risks are described in ways that reflect human behaviour, when training is designed to empower rather than inform, when incident rehearsals surface uncomfortable truths rather than validate existing assumptions, and when third-party dependencies are examined through the lens of lived operational impact rather than contractual promise.
The firms that stand out under FCA scrutiny are rarely those with the most extensive policy libraries. They are the organisations that can explain how their people think, decide, escalate, and recover. They talk about risk in language that reflects real experience rather than generic categorisations. They can show how their strategy influences behaviour, why certain controls matter, and how those controls continue to hold under pressure. In such environments, cyber resilience becomes something lived rather than claimed — a discipline shaped by practice rather than paperwork.
In 2025, the FCA’s focus sits firmly beneath the surface of compliance. Cybersecurity within financial services is no longer judged solely by the existence of controls or the structure of governance frameworks. It is judged by a firm’s ability to demonstrate that resilience is woven into everyday decisions, interactions, and operational habits. A firm that can achieve this may not be perfect — no firm is — but it will exhibit a maturity of culture and understanding that aligns with both the letter and the spirit of regulatory expectations. And at a time when the threat landscape continues to evolve in complexity and speed, that alignment is becoming not only a supervisory requirement but a necessary foundation for long-term stability and trust in the financial system.
Conclusion: Building the Human Foundations of FCA Cyber Resilience
Against that backdrop, the FCA’s recent supervisory work reveals a consistent truth: the weakest points in cyber resilience rarely sit within the technology itself. They tend to emerge in the behavioural spaces between controls — the moment when someone is unsure whether to escalate, the shortcut taken to meet a deadline, the hesitation that arises when a situation feels unfamiliar. These moments shape the outcome of incidents more reliably than any technical safeguard, and they appear even in organisations that believe their cyber programmes are robust.
This is why the regulator’s expectations increasingly converge on the idea of lived resilience. A firm may have a well-structured strategy, a detailed risk framework and a modern control environment, yet still fall short if its people lack the confidence, judgement or experience to act decisively under pressure. Internal governance may reward good documentation, but it is behaviour that determines whether the FCA sees evidence of meaningful resilience. It is behaviour that determines whether an incident is contained early or allowed to escalate.
As a result, many organisations find themselves shifting focus from technology to people. Cyber resilience becomes less about adding more controls and more about strengthening the human factors that determine whether those controls succeed. It becomes about recognising early warning signs, understanding how attackers exploit decision-making and operational habits, and predicting how small lapses in routine can create large opportunities for harm. At this stage, training ceases to be a compliance activity and becomes an operational necessity.
High-quality cyber training does something policies cannot: it allows people to experience uncertainty before it happens in real life. Realistic scenarios familiarise staff with the ambiguity inherent in early-stage incidents, reducing paralysis when events unfold. Exposure to attacker tactics makes individuals more alert to behavioural vulnerabilities. Contextual understanding of escalation pathways reduces hesitation and strengthens decision-making. And because this learning happens collectively, it builds a sense of shared responsibility rather than dispersed accountability.
The FCA’s emphasis on culture amplifies the importance of this preparation. Culture is shaped through repeated practice and shared reflection, not through documents or slide decks. When incident simulations expose communication gaps, unclear responsibilities or unspoken assumptions, these insights directly strengthen organisational decision-making and governance. The regulator increasingly expects this kind of ongoing learning, not annual exercises designed to confirm what firms already believe.
Training becomes the mechanism that translates intention into lived behaviour. It takes cyber strategy off the page and places it into the daily reality of those who carry risk. It anchors risk assessments in human behaviour rather than abstract scoring. It turns incident response plans into something closer to muscle memory. And because training reaches across every level of the organisation, it becomes one of the few interventions capable of shifting culture at the scale the FCA expects.
The firms that demonstrate the greatest alignment with supervisory expectations are not those that chase perfection, but those that understand that cyber resilience is as much behavioural as it is technical. These are organisations where people understand their personal role in protecting systems and customers, where escalation is seen as routine rather than intimidating, and where decision-making has been rehearsed enough that uncertainty does not turn into delay.
Ultimately, cyber resilience in financial services is a human story. Technology forms the foundation, but people determine whether that foundation holds under pressure. The FCA’s expectations reflect this reality. Organisations that embed preparedness, culture and behavioural confidence into their everyday operations will be the ones best equipped to meet regulatory expectations and navigate the complexity of the modern threat landscape.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
