Cyber attack - UK retail bank

This risk is featured in the full matrix, representing the averages of multiple different scenarios presented together in the ‘cyber attacks on infrastructure’ category.

Impact 5
risk indicator
ID 11
Risk theme State threats
Impact & Likelihood
Impact key
5 Catastrophic
4 Significant
3 Moderate
2 Limited
1 Minor
Likelihood key
5 >25%
4 5-25%
3 1-5%
2 0.2-1%
1 <0.2%


Retail banks provide financial services to individuals. The services they provide are vital to the UK’s economy. They allow consumers to securely deposit and save their money, and access credit and mortgages. Some retail banks are designated as critical national infrastructure (CNI). UK CNI organisations are high-profile targets for cyber actors, both state and non-state, who may wish to cause disruption or steal information. The financial regulators’ operational resilience policy requires finance sector organisations to ensure their critical business services are resilient to severe but plausible scenarios, including malicious attacks.

Key assumptions

The scenario is based on past cyber incidents and the increasing cyber threat. The assumption would be that the bank concerned would not be able to recover its core banking platform within the time described and the network would be rendered inoperative such that customers cannot access their accounts.

Response capability requirements

Since most systems are owned by private entities, the responsibility is ultimately on firms, though government and regulators can support in a crisis. Firms are encouraged to improve their cyber security and resilience, and the regulators’ operational resilience policy requires regulated firms to set impact tolerances and remain within these. Collective incident response capability is managed under the UK’s Authorities’ Response Framework.


Recovery plans would comprise a mixture of patching and implementing security controls, remediating and testing data and assuring systems are secure. Patching the vulnerabilities alone would be insufficient if the network has already been compromised, therefore it is almost certain that future mitigation measures will be required.