As the finance sector is enfolded into the UK’s CNI, what does this mean for its ongoing digital journey?
Guest blog by Peter Clapton, CEO at Vysiion
The UK Government has recently broadened its definition of Critical National Infrastructure (CNI) to reflect the highly interconnected nature of the services citizens depend on, and the growing range of security threats they face. As such, fourteen distinct verticals now fall under the umbrella of CNI and so must now contend with the associated compliance obligations. Notably, the finance sector has now officially been granted this designation, which has huge implications for its ongoing digital journey and the long-term security and resilience of its critical data – a prime target for bad actors.
This shift is well-timed, as the Bank of England has recently concluded a multi-year project in collaboration with the NCSC, as highlighted in its 2025 report. Key to this has been the CBEST penetration assessment, which was launched in 2014 to help financial firms identify and mitigate weaknesses in their overall cyber security and resilience. Financial regulators began building on the data generated by these regular assessments in the second half of 2025, offering firms additional consultancy around ICT risk and cyber resilience. With the Government’s increased mandate and focus on the security of our nation’s CNI, financial organisations will have to accelerate a digital journey that’s already been picking up pace for a number of years now.
Banks, insurance companies, investment firms, and numerous other financial organisations have long been phasing out increasingly cumbersome legacy systems in favour of highly scalable, highly secure platforms that support the singular challenges involved in the transfer, storage, and management of financial data. This has not only helped maintain the integrity of this critical data in an increasingly complex, aggressive threat landscape, but also opened up new ways for clients to seamlessly access financial services across multiple channels.
Finance’s entry into the CNI space offers a unique opportunity to build on these early successes, exploring how the considerable advances made in the security of integrated IT/OT systems and Industrial Control Systems (ICSs) in recent years can be applied to the sector’s people, processes, and technology. Having worked with both Operators of Essential Services (OESs) and financial organisations in my role at the Exponential-e Group, I would argue that the following will prove essential in the months ahead, not only in terms of meeting firms’ immediate compliance obligations, but also ensuring the wider sector’s ongoing growth and public confidence can be maintained.
Treat physical systems with the same urgency as digital ones
One of the most notable aspects of CNI security is the need to accommodate the ongoing convergence of physical and digital systems, in order to ensure seamless flows of data can co-exist with ironclad security, with per-user access as standard and corporate security policies intelligently automated wherever possible. Firms’ overall security posture must therefore be based on a holistic approach that considers interconnected physical assets as much as data.
Ensure the very latest threat intelligence is acted upon
The NCSC has repeatedly emphasised the need for up-to-date threat intelligence to be implemented, moving beyond a reliance on standard toolsets, emphasising a proactive rather than reactive approach to security and resilience. While most organisations will have disaster recovery systems and processes in place, even the shortest period of downtime for CNI systems can have serious – potentially irreparable – consequences, as we have seen in various recent high-profile outages.
Security must be inherent in the design of all systems
The finance sector maintains highly distinctive working models that its systems have evolved to accommodate, but these cannot be allowed to create hidden security risks when non-traditional systems must be integrated. Instead, security must be factored into the design of all systems at the very outset – a ‘secure by design’ approach.
Phase out legacy infrastructure at the earliest opportunity
Related to the above point, many of the legacy systems financial organisations still maintain are no longer patched, which means ensuring their continued viability has created a considerable ‘technical debt’ – vulnerability and ongoing expense that could easily be reinvested elsewhere to great effect. These should be phased out in a considered manner that avoids any operational disruption and potential security risks, with their replacements offering the highest levels of scalability and agility.
Consider the integrity of the supply chain
Business is interconnected in ways that would have been inconceivable just ten years ago, and the same applies to CNI organisations, who frequently utilise global chains of suppliers for both physical and digital systems. Each of these interconnections represents a potential ‘backdoor’ to critical infrastructure that could be exploited, which means all potential suppliers must be regularly audited to ensure their own systems and processes meet the standards set out by current Government regulations around security and resilience.
There’s no doubt that there is much work to be done in the years ahead, but the finance sector as a whole has already demonstrated its growing readiness to embrace digital transformation, and recent advances in the security and resilience of CNI systems mean that the sector now enjoys a unique opportunity to adopt proven, powerful strategies for securing its critical systems. Not only will the help minimise the chances of another high-profile breach occurring, it will also help ensure the continued performance and availability of financial services to clients across the UK and – in turn – guarantee the sector’s long-term growth and stability.
##
For more information on these topics, our most recent report – Translating the new regulatory standards into a sustainable cyber strategy – is available for download here.
Cyber Resilience Programme activities
techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.
Upcoming events
Latest news and insights
Learn more and get involved
Cyber Resilience updates
Sign-up to get the latest updates and opportunities from our Cyber Resilience programme.
Meet the team
Jill Broom
Head of Cyber Resilience, techUK
Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Website:
- www.techuk.org/
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Read lessmore
Annie Collings
Programme Manager, Cyber Resilience, techUK
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/
Read lessmore
Olivia Staples
Junior Programme Manager - Cyber Resilience, techUK
Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.
She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.
Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.
Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).
Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.
- Email:
- [email protected]
Read lessmore
Fran Richiusa
Programme Team Assistant for Public Sector Markets, techUK
Fran serves as the Programme Team Assistant within techUK’s Public Sector Market Programmes, where she is responsible for delivering comprehensive team support, managing administrative functions, and fostering strong relationships with members.
Prior to joining techUK in May 2025, Fran built a meaningful career in the charitable and local government sectors. She worked extensively with both victims and perpetrators of crime, and notably led the coordination of Domestic Homicide Reviews across Surrey—an initiative aimed at identifying lessons and preventing future incidents of domestic abuse.
Outside of work, Fran is an avid traveller and a proud cat mum who enjoys unwinding with her feline companions.
- Email:
- [email protected]
- Website:
- www.techuk.org/
- LinkedIn:
- https://www.linkedin.com/in/francesca-richiusa/
Read lessmore
Authors
Peter Clapton
CEO , Vysiion
