What Cybersecurity Training Do Financial Services Firms Need?
The training that financial services firms actually need bears little resemblance to annual awareness modules. Regulators are no longer asking whether training happened. They are asking whether it changed anything, and how firms know.
The FCA's operational resilience framework and PS21/3 make it clear that firms must be able to tolerate and recover from operational disruptions. Human behaviour is not peripheral to that obligation. It sits at the centre of it.
The threat vectors that matter in this sector are specific. Business email compromise targeting payment authorisation. Credential phishing aimed at trading systems and client data. Social engineering that exploits the urgency-driven culture of front-office environments. Generic security awareness content does not address these with the precision regulators expect. LimitedView research across 847 organisations found that 73% of security incidents involve a human decision point, a click, a disclosure, an override, compared to 12% attributed to purely technical failures. In financial services, where wire transfers and data access happen at pace, that ratio carries direct financial and regulatory consequence.
How Do FCA Regulations Affect Security Training?
The FCA does not mandate a specific curriculum. It does create clear accountability for firms that cannot demonstrate staff competence in recognising and responding to cyber threats. Under the Senior Managers and Certification Regime, named individuals bear personal accountability for the systems and controls within their remit. That explicitly includes the human layer of those controls.
FCA Dear CEO letters and multi-firm reviews have repeatedly flagged inadequate security culture as a root cause in data loss and fraud incidents. Firms under scrutiny are now being asked not just whether training occurred, but whether it changed behaviour and how they know.
Completion rates are no longer sufficient. Regulators expect firms to link training activity to measurable outcomes: reduced phishing susceptibility, faster incident reporting, lower rates of policy override. That requires a shift from volume-based delivery to outcome-based programme design.
What Are PRA Expectations for Cyber Resilience Training?
The PRA's supervisory statement SS2/21 on operational resilience treats the workforce as a critical component of a firm's ability to remain within impact tolerances during a cyber event. Training is not referenced as a standalone activity. It sits within the broader expectation that firms understand their vulnerabilities and have tested their ability to respond.
PRA-supervised firms are expected to conduct scenario testing that includes human-factor elements: how staff behave under simulated pressure, whether incident escalation paths are understood and followed, and whether third-party dependencies introduce training gaps at handover points.
Firms in dual-regulated environments carry the combined weight of both frameworks. The FCA focuses on consumer outcomes and market integrity. The PRA focuses on systemic stability. Both converge on the same requirement: treat workforce cyber capability as a measurable control, not a communications programme.
How Should Training Programmes Be Structured for Financial Services?
The roles that represent the highest-risk decision points in the organisation should drive the structure. A payments operations analyst, a relationship manager handling client instructions, and a technology administrator face materially different threat scenarios. A single training pathway cannot address all three with sufficient depth.
LimitedView's research, covering over 650,000 employees across 847 organisations, found measurably stronger behaviour change outcomes in organisations using role-specific, scenario-based training compared to those using broadcast-style annual modules.
Structural recommendations for financial services training programmes:
- Role-mapped content aligned to the specific systems and data each function accesses
- Scenario fidelity that reflects real incident patterns from the sector, not generic examples
- Spaced reinforcement delivered through the year rather than concentrated in a single annual session
- Measurable outputs tied to specific behavioural indicators rather than completion alone
- Board and executive pathways addressing the social engineering and data governance risks most relevant to senior decision-makers
What Does Good Look Like for Regulators?
A firm that can articulate its human risk profile, demonstrate how training addresses that profile, and show evidence the programme is working. The evidence does not have to be perfect. Regulators understand that behaviour change is gradual. But it must be credible and specific.
Firms presenting a dashboard of completion rates alongside zero incident trend data are increasingly asked harder questions than those presenting partial completion rates alongside genuine incident reduction evidence and a clear narrative about what changed and why.
Regulators are increasingly sophisticated about the difference between training as a compliance artefact and training as an operational control. Financial services firms that build programmes with the latter framing will find supervisory conversations considerably more straightforward.
