In January 2026, the Financial and Cybercrime Prevention department (FCCP) of the FSRA published the findings of its Cyber Risk Management Survey. The survey was conducted in Q3 2025 and sent to 315 FSRA-regulated firms. It achieved an 83% response rate, with 263 firms providing insight into the current state of governance structures, technical controls, and overall cyber resilience.
The timing of the publication was deliberate. With the FSRA’s new Cyber Risk Management Rules taking effect on January 31, 2026, the survey findings served as both a readiness assessment and a forward-looking signal. They offered a clear picture of where the sector stands and, more importantly, where it still had ground to cover. The findings spoke to five key areas of focus, each of which carries direct implications for how firms should be building and maintaining their cybersecurity programs today.
1. Cyber Risk Management Framework and Governance
The FSRA’s first area of assessment covers the governance structures that sit behind a firm’s cybersecurity program. The findings indicate that while many firms have made progress in this area, the survey identified several gaps that remain.
At a minimum, the FSRA expects firms to maintain:
- A cyber risk management framework that is formally documented and board approved.
- Active board-level representation and management forums that make real decisions about cyber risk.
- Clearly assigned operational roles and responsibilities for cyber risk management.
The reason the FSRA places such emphasis on the last point is practical: ambiguity in accountability does not become apparent under normal operating conditions. It becomes apparent during a cyber incident, when speed and decisiveness are the differences between containment and escalation. Firms that have not clearly defined who is responsible for what may encounter challenges. The FSRA expects board and senior management to hold ultimate responsibility for cyber risk.
2. Identification and Assessment of Cyber Risk
Effective cyber risk management depends on the identification of risks. This underpins the FSRA’s second area of focus, which covers cyber risk assessments, IT asset classification, vulnerability management, and third-party cyber risk.
The survey findings highlight that IT asset classification and vulnerability management are deeply interconnected. Without a complete and up-to-date inventory of information and communications technology assets, classified by criticality and sensitivity, firms cannot make informed decisions about where to direct security resources or how urgently to remediate identified vulnerabilities. The FSRA notes that unidentified assets and unpatched vulnerabilities are among the most exploited attack vectors used against financial institutions.
Third-party risk is also prominently featured in this area. The FSRA’s findings suggest that many firms are not adequately formalizing their cybersecurity expectations within vendor relationships.
Specifically, service provider agreements should:
- Include explicit cyber incident reporting requirements
- Set out clearly defined cybersecurity standards
- Be subject to ongoing compliance monitoring, not assumed adherence
The obligations a firm has toward the FSRA do not diminish because a function has been outsourced. The survey findings suggest that not all firms have fully internalized that reality.
3. Protection of ICT Assets Against Cyber Incidents
The third area of assessment covers security awareness training, cyber threat intelligence, and technical security controls. Together, these represent the day-to-day operational fabric of a firm’s cyber defenses.
- On training, the FSRA emphasizes that security awareness training is a critical component of operational resilience. Employees are often in the first line of defense against social engineering attacks, and an insufficient workforce awareness can create vulnerabilities regardless of how sophisticated a firm's technical controls are.
- On threat intelligence, the FSRA expects firms to actively participate in intelligence-sharing communities and ensure that threat intelligence is integrated into internal processes, not siloed within a single team.
- On technical controls, the survey found that basic measures such as passwords, multi-factor authentication, and anti-malware solutions are widely adopted. More advanced controls show lower uptake, which the FSRA acknowledges is expected given the principle of proportionality. However, the FSRA is explicit on identity and access management: firms must implement strong IAM controls and adopt the principle of least privilege to reduce their overall attack surface.
4. Monitoring and Testing
The FSRA’s fourth area of focus covers logging and monitoring practices, as well as adversarial testing methodologies. The survey findings are direct: the limited adoption of advanced testing methods reduces firms’ ability to identify sophisticated or emerging vulnerabilities and may leave critical gaps entirely undetected.
Logging and monitoring provide the visibility a firm needs to detect incidents as they occur. Without structured processes in place, incidents can go undetected for extended periods, significantly increasing their potential impact.
On adversarial testing, the FSRA draws a distinction based on organizational complexity. Larger and more complex firms are expected to implement testing methodologies that simulate real-world attack scenarios, including:
- Penetration testing
- Red teaming
- Other exercises that identify vulnerabilities that standard processes may not detect
For firms of that profile, these are not optional enhancements. They are expected capabilities.
5. Detection, Response, and Recovery
The fifth area assessed by the survey covers cyber incident management: whether firms have formal incident response plans in place and whether those plans are being actively tested.
According to FSRA’s findings, having an incident response plan is not sufficient. Firms that have plans in place but do not test them regularly may find their response capabilities significantly less effective when a real incident occurs.
The FSRA expects incident response plans to be supported by regular testing and simulation exercises, along with post-incident reviews to identify gaps and drive continuous improvement. A firm that regularly tests response procedures will contain an incident faster, recover more effectively, and meet the FSRA’s 24-hour notification requirement for material cyber incidents.
The Bottom Line: The Five Areas Are Not Independent
Reading the survey findings area by area can give the impression that these are five separate workstreams to be addressed in parallel. In practice, they function as a chain, and the strength of a firm’s overall cybersecurity posture is determined by its weakest link.
Effective monitoring and testing depend entirely on what is being monitored. If a firm has not completed a thorough IT asset inventory, its monitoring program will have blind spots built into it from the start. Penetration testing findings cannot be acted upon quickly without the clearly defined operational roles that the first section demands.
Security awareness training directly affects how well an incident response plan performs, because the human response to a suspected incident is often the first and most consequential step in the containment process. Threat intelligence, if properly integrated, should be feeding directly into the risk assessments and vulnerability prioritization that the second section calls for.
This interconnection reflects the FSRA’s broader intent to not produce firms that can demonstrate compliance across five discrete categories, but to produce firms with fully integrated, resilient cybersecurity programs. The survey findings suggest that many firms have made meaningful progress in individual areas while the connections between those areas remain underdeveloped.
Turning Survey Findings into Action
With the FSRA’s Cyber Risk Management Rules now in effect, firms should view these survey findings as a clear indication of regulatory expectations moving forward.
A practical next step is to assess not only whether individual elements of your cybersecurity program are in place, but whether they are effectively connected, tested, and functioning as an integrated whole.
ACA can support firms by helping to:
- Assess alignment with FSRA Cyber Risk Management Rules
- Evaluate governance structures and accountability frameworks
- Identify gaps across asset management, vendor oversight, and testing
- Strengthen incident response capabilities through testing and simulation
- Enhance integration across cybersecurity program components
Regulatory expectations are evolving toward demonstrable resilience.
Connect with our team to evaluate your cybersecurity program and identify areas for improvement.