Large banks and insurers often look rock solid on cybersecurity, from the outside it feels like they run fortress technology with endless budgets and elite teams. The reality is a bit more ordinary. The Bank of England’s CBEST programme keeps showing that even the biggest firms still stumble on the basics. Those lessons matter to every lender, servicer and broker in the United Kingdom.
What is CBEST?
CBEST stands for Cybersecurity Best Practice in Threat Intelligence-led Testing. In simple terms, it is the Bank of England’s threat led penetration testing framework for the most important financial institutions in the United Kingdom. It combines real world threat intelligence with controlled testing on live systems. The goal is to see how a firm would stand up to the sorts of attacks used by serious adversaries.
Here is how it works in practice. An accredited intelligence provider profiles the firm’s business services, technology and people. They identify likely attackers and tactics. A separate accredited testing team then runs a scoped attack simulation against the firm’s live environment, under strict safety rules. Findings are linked to real business impact. The focus is to help firms improve detection, response and core hygiene. CBEST is overseen by the Bank of England and used by the Prudential Regulation Authority and the Financial Conduct Authority where relevant. It is the gold standard for intelligence led testing in the United Kingdom.
You do not need to be a systemic bank to learn from CBEST. The themes repeat across the sector. Mortgage businesses can apply the same ideas at a scale that fits their risk.
1) Access control is sloppy
Identity and access management sounds dull, it is also where many breaches begin. CBEST assessments have found that too many people can reach systems they do not need. Weak passwords still turn up, multi Factor Authentication is not always enforced on critical services and administrator accounts are sometimes shared or poorly monitored. In a mortgage setting that means unnecessary access to the Loan Origination System, broker and customer portals, servicing platforms, cloud consoles and data stores.
This is not only a technical issue, it is also a process issue. Joiners are given broad default roles, movers keep old permissions, leavers are not removed quickly enough. Over time the permission set drifts until no one is sure who can do what.
What good looks like is simple. Start with the least privilege for every role, define who actually needs access to decisioning, pricing, valuation and payment functions. Enforce Multi Factor Authentication for every user and every administrator, ban shared administrator accounts and require named logins with audit trails.
Review access every month for critical systems and every quarter for everything else. If you use managed service providers, apply the same rules and ask for evidence.
2) People remain the main risk
We all know people are targeted. CBEST findings show the problem is not going away. Staff still fall for convincing emails and calls, job adverts, social posts and conference slides often reveal tools, versions and processes that an attacker can use to craft a believable approach. Credentials still leak into internal file shares or even public platforms.
Treat this as a normal business risk, not an occasional training day. Short, frequent exercises work better than long annual courses, run realistic phishing drills that reflect your brand and processes. Include underwriters, completions teams and Business Development Managers, not only the IT team. Make secure behaviour part of everyday routines. For example, require call backs to a known number before sharing any case information by phone. Remove sensitive detail from job adverts and LinkedIn posts, such as specific system names, versions and internal project codes. If you outsource, give suppliers the same training standard and test it.
Culture matters. A positive cyber culture means people feel safe to report mistakes early. If a member of staff clicks on a malicious link, you want them to call the helpdesk at once without fear of blame. Early reporting often makes the difference between a small clean up and a serious incident.
3) Detection and response are patchy
No firm can block every attack. The key is to detect early and act fast. CBEST exercises have found weak monitoring, slow analysis and even insecure incident communications. In a few cases defenders used channels that an attacker could read, which handed the game away.
This is where basic discipline helps. A Security Information and Event Management platform is not enough by itself. You must tune alerts to your critical journeys. In a mortgage business that means Decision in Principle, full application, valuation, offer and completion. Alert on unusual access to case stores, sudden changes to payment rules and creation of new administrator accounts out of hours. Align logs from cloud platforms, on premise systems and third party Software as a Service, so you can trace a timeline.
Incident communication needs its own plan. If your email is compromised, do not coordinate the response over the same email. Use out of band channels, such as a pre agreed phone bridge or secure messaging. Keep a hard copy of key contacts in case the directory is unavailable.
Rehearsal is vital. Run quarterly walk throughs of your major policies and procedures. Cover ransomware, business email compromise, data exfiltration and insider abuse. Include the executive team so they know how to make decisions under pressure. Measure time to detect, time to contain and time to restore. Trend those metrics. What you measure gets fixed.
4) Threat intelligence sits in silos
Cyber Threat Intelligence is often collected with care, then left on a shelf. CBEST reports note that foundations exist, yet the intelligence does not flow into change, testing or day to day controls. The best insight is wasted if it does not change behaviour.
Make intelligence practical. Translate each item into an action. If a new tactic targets mortgage portals with specific file upload tricks, update the Web Application Firewall and the input validation tests. If there are fresh indicators for a phishing campaign against financial services, add them to your detection rules and send a short briefing to all staff. If a supplier is named in a threat report, ask them for a statement and evidence of controls.
Governance helps. Give the intelligence function a regular slot at the product or change board. Ask for one page in plain English that says what changed in the threat landscape this month and what the business has done about it. Tie each action to an owner and a due date. Close the loop by checking results.
5) Core infrastructure needs housekeeping
Most incidents succeed because of simple housekeeping gaps. Weak configuration management leaves systems unpatched and vulnerable. Networks are often too flat which makes lateral movement easy once an attacker is inside. Development and production are not separated well, which lets test code or credentials bleed into live services.
Set a steady patch rhythm and stick to it. For example, apply critical patches within seven days and high severity patches within thirty days. Report on compliance each month. Challenge exceptions. Use configuration baselines for endpoints, servers and cloud resources so you can spot drift quickly.
Network segmentation is still one of the best defences. Ring fence crown jewels such as payment routes, customer data stores and administrator consoles. Use access control lists, private endpoints and micro segmentation in the cloud. Enforce separate development, test and production with tight identities and audited changes. Keep secrets out of code and use a proper secrets manager.
Backups are part of housekeeping too. Take regular, tested, offline capable backups of core systems and data. Restore them in rehearsal so you know they work under pressure. Encrypt data at rest and in transit. Review third party access. Limit it by time, by scope and by named user.
What this means for UK mortgage businesses:
The lesson is to master the basics and prove it with evidence. Here is a practical way to start.
Focus first on identity, patching and segmentation. Turn on Multi Factor Authentication everywhere. Remove shared logins. Review administrator access monthly. Patch on time. Separate development, test and production. Segment networks and cloud accounts so an intruder cannot wander from a low value system to a payment or data store in one hop.
Test like you mean it. Commission a penetration test at least once a year. Scope it to the broker portal, the customer portal, the Loan Origination System and any data movement jobs between you and your partners. Ask the tester to retest after fixes. If budget allows, run a small threat led exercise that targets a single important service. You will learn more from a focused scenario than from a general sweep.
Treat suppliers as part of your estate. Ask your Loan Origination System vendor, your customer relationship management vendor, your cloud provider and your data partners for evidence of their own testing and patching. Build testing rights and fix times into contracts. Make sure third party staff use Multi Factor Authentication and named accounts when they connect to your systems.
Report what matters. Track a small set of metrics and review them at the executive committee. For example, percentage of users with Multi Factor Authentication, percentage of critical patches applied on time, number of high severity findings open, median time to contain an incident, and percentage of crown jewel systems behind strong segmentation. Use those numbers to drive action rather than to decorate slides.
Build culture across the whole firm. Security is not only for the IT function. Underwriting, completions, sales, marketing, ops and Business Development Managers all handle sensitive data and have access to important systems. Include them in exercises. Ask them where the process makes secure behaviour hard, then fix the process. Celebrate early reporting. Treat near misses as learning, not as failure.
Plan for the worst. Keep a brief incident plan that anyone can follow. Hold a call tree, a list of systems to check first, and a simple decision guide on whether to disconnect a service. Keep legal and communications contacts close. If customer data may be affected, involve your Data Protection Officer early.
Bringing it together
CBEST shows that the biggest firms still have gaps. That should not make us cynical. It should make us practical. The strongest defence is steady, simple hygiene done well. Know who has access. Enforce Multi Factor Authentication. Patch on time. Segment the network. Test your assumptions. Practise your response. Do it again next quarter.
Mortgage businesses do not need vast budgets to improve. They need clear priorities, consistent action and honest measurement. The basics cut risk fast, protect customers and keep operations running. If the largest institutions are still sharpening those basics, the rest of us should take the hint and get on with it.
