By Dan Potter, Senior Director of Operational Resilience at Immersive
No business expects its personnel to respond calmly and effectively to a fire because they once watched a training video or discussed the evacuation plan around a table.
Yet this is precisely what many financial organisations still do when it comes to preparing for cyber risk. The idea of an attack is often treated as a theoretical issue, but the threat is very real.
The Bank of England’s H2 2024 Systemic Risk Survey found that 80% of respondents cited cyberattacks as a top concern, second only to geopolitical risk. Its Financial Stability Report further highlights that heightened geopolitical tensions are increasing the likelihood and potential impact of cyber incidents on the UK economy.
The losses are racking up. The IMF estimates that financial institutions have accounted for around 20% of all cyberattacks over the last two decades, with combined losses exceeding $12 billion.
When preparing for the physical threat of a fire, we run fire drills and rehearse, making sure everyone knows what to do and where to go. Cybersecurity should be no different.
We must bring this serious threat out of the realm of the theoretical and into the forefront of the minds of financial personnel.
Why tabletops don’t prepare firms for real attacks
Cyber skills development is often delivered through a combination of informational video content, bolstered by occasional tabletop exercises to simulate crisis situations.
These sessions typically involve senior stakeholders such as CEOs and CISOs role-playing through an attack scenario, aiming to test how they would respond to the real thing. The Bank of England has promoted these sessions as part of its overall stress-testing, including publishing detailed reports of previous exercises, and these deliver extremely useful data for companies on cyber preparedness.
However, outside of this, financial firms often create tabletop exercises that tend to be a fairly banal experience, heavily scripted, slow-paced, and stripped of the unpredictability that defines an actual incident.
There’s no real sense of jeopardy, no time pressure, and no meaningful consequences. Critical decisions, such as whether to notify regulators, shut down systems, or engage legal teams, are discussed in theory, but not made in the moment.
Holding a security crisis at this sterile distance means there is unlikely to be any behavioural change or meaningful skill development. It’s also all but impossible to accurately assess real cyber readiness. Financial firms operating in high-stakes, high-complexity environments can’t afford that disconnect.
Simulations build capability, coordination and confidence
Short of actually suffering through an actual attack, one of the most effective ways of conveying the feel of a cyber crisis is to conduct an in-depth simulation.
Simulations can be highly realistic, creating a detailed dummy copy of the company’s network to bring it as close to home as possible.
Unlike passive training or paper-based exercises, cyber simulations recreate the chaos of a real attack by forcing teams to respond in real time. Technical and executive groups are challenged simultaneously, bridging the gap between SOC operations, legal, communications, and leadership.
This live-fire format uncovers how decisions made in the boardroom affect actions on the ground as participants see the impact of their choices unfold on their company, from financial data theft to trading downtime.
These cyber drills also build critical muscle memory across the organisation. Rather than reacting like a deer in headlights when a real attack occurs, decision-makers will have an established pattern on how to collaborate under pressure, communicate clearly, and execute with speed.
Simulations also accurately expose hidden vulnerabilities such as slow escalation paths and role confusion that can stack up to turn a breach into a catastrophe.
Hard metrics on performance can then guide targeted investment, shape future training, and give CISOs and boards confidence that they are ready, rather than just compliant.
Keeping up with the regulatory shift
Financial regulators are taking cyber resilience extremely seriously. The Bank of England has taken a leading role here, with collaborative efforts like the Cross Market Operational Resilience Group (CMORG) serving as a perfect example of how to bring institutions, authorities and regulators together.
The EU’s Digital Operational Resilience Act (DORA) has also raised the bar for financial services. The added scrutiny demands that financial firms go beyond policy documents and prove they can maintain operations during cyber incidents.
That means showing, rather than just stating, how teams perform under stress. Simulations provide the observable, repeatable evidence of decision-making, coordination, and incident management regulators are looking for. Cyber drills make resilience visible, measurable, and defensible in front of regulators, stakeholders, and boards.
If it’s not tested, it’s not ready
Cyberattacks have become a systemic threat to national stability. Meeting this moment demands a shift from compliance to continuous improvement.
Rehearsing for a cyberattack is not enough. Financial firms must train like it’s real – because one day, it will be.
Relying on static exercises and theoretical readiness is no longer enough. Simulations offer the realism, pressure, and insight required to build true resilience. To stay ahead of attackers – ahead of regulators – firms must prepare for what’s coming, not what’s comfortable.
