Malicious attack - UK Financial CNI

This risk is featured in the full matrix, representing the averages of multiple different scenarios presented together in the ‘cyber attacks on infrastructure’ category.

Impact 5
risk indicator
ID 11
Risk theme State threats
Impact & Likelihood
Impact key
5 Catastrophic
4 Significant
3 Moderate
2 Limited
1 Minor
Likelihood key
5 >25%
4 5-25%
3 1-5%
2 0.2-1%
1 <0.2%


Financial market infrastructures (FMIs) are the networks that enable financial transactions to take place. Some FMIs constitute critical national infrastructure (CNI), as they provide services essential to the UK economy/functioning of state. Companies providing the UK’s critical national infrastructure, including financial services organisations, are high-profile targets to state and non-state actors that may wish to cause significant disruption. The financial regulators’ operational resilience policy requires finance sector organisations to ensure their critical business services are resilient to severe but plausible scenarios, including malicious attacks.

The supervisory framework covers FMIs and Other Systemically Important Institutions, critical to the UK’s financial stability, who must also consider their risks in relation to harm their institution may cause to the real economy and financial services sector as a whole


The reasonable worst-case scenario is based on a sophisticated cyber attack against a single FMI carried out by a hostile state or criminal actor.

Significant destruction and total disruption to systems cause the unavailability of systems for at least a week, with a partial outage of a few weeks thereafter. The destructive nature of the attack causes hard-drive data to be overwritten and infected with malware. Depending on the FMI impacted, there would likely be significant impacts on the processing of financial transactions. There is a risk that the UK will experience a loss of confidence in the availability and integrity of financial data as well as reduced confidence in the financial system. Secondary consequences include international and domestic legal implications concerning data. A malicious attack on an FMI that causes its protracted failure could threaten the financial stability of the UK or cause significant disruption to the wider UK economy and to consumers.

Key assumptions

The risk assumes that the fundamental integrity of an FMI has been compromised. It assumes the FMI as well as an available backup have been encrypted, making it inoperable.


Variations involve different examples of FMIs.

Response capability requirements

Collective incident response capability is managed under the UK’s Authorities’ Response Framework (ARF). The ARF allows the UK’s Financial Authorities (the Bank of England, HM Treasury, and the Financial Conduct Authority) to coordinate a response to attacks that have, or could have, a major impact on financial stability or consumers.


Recovery from such an attack could take months with permanent data loss or corruption a strong possibility.