The Financial Services Regulatory Authority (FSRA) has published the findings of a sweeping cyber risk management survey — and the results paint a picture of a sector that has made genuine progress but still carries significant structural vulnerabilities heading into 2026.
According to ACA Group, conducted in Q3 2025 by the FSRA’s Financial and Cybercrime Prevention (FCCP) department, the survey was distributed to 315 regulated firms, achieving an 83% response rate with 263 firms participating.
ACA Group recently detailed what the FSRA’s cyber risk survey reveals about financial sector readiness in 2026.
The findings were published in January 2026, timed deliberately to coincide with the enforcement of the FSRA’s new Cyber Risk Management Rules on 31 January. Together, they serve as both a stocktake of where the sector stands and a signal of where it is expected to move quickly.
The survey assessed five interconnected areas: governance, risk identification, asset protection, monitoring and testing, and incident response. Whilst each carries its own set of regulatory expectations, the FSRA is clear that these are not independent workstreams — they form a chain, and a firm’s overall resilience is only as strong as its weakest link.
Governance gaps remain a concern
On governance, the FSRA expects every regulated firm to maintain a formally documented, board-approved cyber risk framework, with active senior leadership involvement and clearly assigned operational responsibilities. The survey found that ambiguity in accountability is particularly dangerous — not under normal conditions, but when an incident strikes and the speed of response determines whether containment or escalation follows. Firms where ownership of cyber risk remains unclear are, in the FSRA’s assessment, operationally exposed.
Third-party risk is underestimated
The identification and assessment of cyber risk was the second area under scrutiny, covering IT asset classification, vulnerability management, and third-party exposure. The FSRA found that many firms are not adequately embedding cybersecurity expectations into vendor contracts. Regulators were explicit: outsourcing a function does not reduce a firm’s obligations. Service provider agreements must include incident reporting requirements, defined cybersecurity standards, and ongoing compliance monitoring — not assumed adherence.
Human vulnerability remains a frontline issue
In the third area — protection of ICT assets — security awareness training, threat intelligence, and technical controls were assessed. The FSRA’s position is that employees are often the first line of defence against social engineering attacks, and an underprepared workforce can undermine even the most sophisticated technical architecture. On technical controls, whilst basic measures such as multi-factor authentication and anti-malware solutions are widely adopted, the FSRA stressed that identity and access management must be treated as a priority, with the principle of least privilege applied to reduce overall attack surface.
Advanced testing is not optional for complex firms
The fourth area addressed monitoring and adversarial testing. The FSRA’s findings were direct: limited adoption of advanced testing methods creates blind spots that standard processes cannot detect. For larger, more complex firms, penetration testing, red teaming, and simulation exercises are expected capabilities, not optional enhancements. Without structured logging and monitoring, incidents can go undetected for extended periods — substantially amplifying their ultimate impact.
Untested incident response plans carry hidden risk
The fifth and final area assessed incident detection, response, and recovery. The FSRA found that having an incident response plan in place is insufficient if it is never tested. Firms that do not regularly run simulation exercises and post-incident reviews will find their response capabilities considerably less effective when a real event occurs. With the FSRA requiring material cyber incidents to be reported within 24 hours, the operational readiness of response procedures is not a theoretical concern — it is a measurable compliance requirement.
An integrated programme, not a checklist
Taken together, the FSRA’s findings reflect a broader regulatory intent: not compliance across five discrete categories, but the development of fully integrated, resilient cybersecurity programmes. An incomplete asset inventory creates blind spots in monitoring. Poorly defined roles slow incident response. Threat intelligence that is siloed rather than operationalised fails to inform risk assessments. Security awareness training shapes the quality of the human response at the critical first moment of a suspected incident.
Many firms have made meaningful progress in individual areas. The challenge — and the FSRA’s clear expectation — is that the connections between those areas must now be strengthened. The new rules are in force. The survey has drawn the map. The gap between where firms are and where they need to be is now a matter of public record.
Read the full ACA Group post here.
Copyright © 2026 FinTech Global
