FSRA Cyber Survey: Where Financial Firms Are Falling Short

The FSRA’s January 2026 publication marks a watershed moment for cyber‑risk oversight in the financial sector. By surveying 263 firms with an 83 percent response rate, the regulator captured a granular view of how institutions are adapting to its new Cyber Risk Management Rules. While basic safeguards such as multi‑factor authentication are now commonplace, the survey reveals that many firms still treat cybersecurity as a series of siloed checklists rather than a cohesive, board‑endorsed strategy. This misalignment threatens both regulatory compliance and operational resilience.

Key weaknesses cluster around governance, third‑party risk, and human factors. The FSRA found that many firms lack a formally documented, board‑approved cyber‑risk framework, leaving accountability ambiguous during an incident. In the vendor arena, contracts frequently omit explicit incident‑reporting and security‑standard clauses, despite regulators’ insistence that outsourcing does not shift liability. Moreover, employee awareness training remains uneven, making staff the most exploitable entry point for social‑engineering attacks. These gaps underscore the need for a unified risk‑management culture that integrates policy, technology, and people.

Looking ahead, the regulator’s emphasis on integrated programmes signals a shift toward proactive defense. Advanced testing—penetration tests, red‑team exercises, and simulation drills—must become routine for complex institutions to uncover blind spots that standard monitoring misses. Regularly exercised incident‑response plans will be essential to meet the 24‑hour breach‑notification rule and to limit financial fallout. Firms that close these gaps will not only avoid fines but also gain a market edge by demonstrating robust cyber resilience to investors and customers alike.