Cyber and Operational Resilience Stress Test (CORST)

Overview

The Cyber & Operational Resilience Stress Test (CORST) is a key part of the Financial Policy Committee (FPC’s) medium term priorities in providing the primary tool to ‘continue to improve macroprudential oversight of operational resilience’.

In July 2025 the FPC approved the following objectives for future tests:

1. Provide strategic insight into sector vulnerabilities and the financial stability impacts.
2. Test firm and sector capabilities to respond to, and recover from operational disruption, and their individual and collective ability to mitigate financial stability impacts.
3. Support firms in maturing their approach to operational resilience and financial stability, including their role as systemic risk managers.

CORST will continue to be a macro-focused exploratory tool and will investigate beyond the payments and settlements vital service. All systemic firms will be invited to participate in CORST on a voluntary basis on rotation. The Bank will also engage non-regulated institutions to join tests as observers and advisors to provide additional expertise and perspectives. Cyber Stress Tests (CST) will be renamed as CORSTs. 

CORST26 – Cyber & Operational Resilience Stress Test 2026

In April 2026, we launched CORST26. The test will explore the impacts of a Cloud Service Provider and third party disruption scenario, aligned to SIMEX26. 

The test will run throughout 2026 and will report to FPC and publish thematic findings in summer 2027.

CST24 – Cyber Stress Test 2024

We asked providers and users of wholesale services to model the impact of hypothetical operational disruption scenarios. Participants provided data and attended workshops to discuss how they would respond. The test also explored the potential impacts to financial stability through financial, operational and confidence channels. Annex 1 provides a toolkit methodology to help firms to mature their understanding of how an incident can cause a potential financial crisis.

On 9 July we published the findings of the Bank of England’s CST24 The findings are relevant to participants, non-participant firms and financial market infrastructure firms.

• Thematic findings from the 2024 Cyber Stress Test

The key findings were:

• The need for firms to mature their understanding of their role in providing financial stability and mitigating impacts from operational disruptions.
• The importance of understanding the nature of disconnection in order to maintain risk based connections to FMIs, ensuring continuity of services.
• Confirmation from the FCA of the role of Treating Customers Fairly in prioritising transactions related to maintaining financial stability.

CST22 – Cyber Stress Test 2022

We asked providers and users of a UK retail payments scheme to model the impact of a disruption affecting data integrity. The findings support individual and collective work to improve the financial sector’s response to and recovery from incidents.

On 29 March 2023, we published the Thematic findings from the 2022 Cyber Stress Test. 

The key findings were:

• The importance of mitigation of impacts (eg providing credit) in addition to planning for, and testing contingencies (another method of delivering a payment).
• Industry coordination and communication, including that processes are in place with appropriate expertise to respond to operational disruptions.
• The FPC updated its impact tolerance for payments and settlement on the basis of this test. The revised tolerance can be found from para 97 in the Financial Policy Summary and Record - March 2023.

Pilot and establishment of Cyber stress testing

The background for the tests and the original FPC impact tolerance are set out from para 67 in the Financial Policy Summary and Record - March 2021.