Preparing for the inevitable. Why Cyber Incident Exercising (CIE) is critical for financial institutions

For financial institutions, the stakes couldn’t be higher. A cyber attack doesn’t just mean operational disruption - it threatens customer trust, regulatory compliance and long-term reputation. Bring forth the Digital Operational Resilience Act (DORA), a newly adopted EU regulation designed to strengthen the cyber resilience of financial institutions by ensuring they can withstand, respond to and recover from cyber threats.

So, where does Cyber Incident Exercising (CIE) come in? As a core requirement of DORA, CIE involves simulating real-world cyber threats to assess how well an organisation can detect, respond to, and recover from attacks. More than just a checkbox exercise, it’s a vital tool under the DORA mandate.

Are you ready?

Having come into effect on January 2025, DORA mandates that financial institutions implement “robust ICT risk management frameworks”, including regular digital operational resilience testing.

Since then, organisations must:

• Document and test cyber resilience frameworks

• Conduct Cyber Incident Exercises regularly

• Prove compliance through audits and reporting

DORA doesn’t just require having a plan, it mandates that organisations prove it works through regular testing and refinement. If your organisation hasn’t started planning (or practising CIE) for DORA compliance, you should consider completing a CIE readiness assessment.

Why it matters

Cyber Incident Exercising is the most effective way to prepare for the inevitable. It’s about simulating real-world cyber threats in a controlled environment to stress-test your organisation’s response. It’s essential because:

• Teams perform better under pressure when they’ve had the opportunity to practise.

• Weaknesses are easier to fix when identified in a test—not during a crisis.

• Regulators demand evidence that your organisation is prepared.

The UK’s National Cyber Security Centre (NCSC) strongly advocates for Cyber Incident Exercising, having implemented a certification for testing organisations to demonstrate their effectiveness.

As Paul Chichester, Director of Operations at NCSC, puts it:

“The first time you try out your cyber incident response plan shouldn’t be on the day you are attacked.”

Related Insight

Top cyber security priorities for CEOs in 2025 (and how to tackle them)

What exactly should CEOs be prioritising in 2025 and beyond?

Build a culture of resilience

Cyber resilience isn’t just about technology - it’s about people, processes and culture. Organisations that embed a proactive security mindset are the ones that recover fastest from cyber incidents.

What a strong resilience culture looks like:

• Security is owned by everyone, not just the CISO or IT department.

• Teams know their roles in an incident response scenario.

• Cross-functional collaboration is built into security practices.

Cyber Incident Exercising helps break down silos between technical, risk and business teams. This ensures that everyone knows what to do should the worst happen.

Start with simple exercises

Not sure where to begin? Take one step at a time by starting small, iterating and improving.

• Assess your current response plan

• Start with tabletop exercises

• Simulate real-world attack scenarios

• Engage a trusted and certified partner

Cyber resilience isn’t about perfection - it’s about progress. If you struggle to get started, engage with a trusted partner.

Embrace continuous improvement

Cyber threats will only grow in sophistication, compliance is just the starting point. The most resilient financial institutions are those who regularly test, learn and adapt.

A well-rehearsed response plan doesn’t just tick a regulatory box - it safeguards your business, protects customer trust and builds confidence.

The lingering question isn’t whether you need Cyber Incident Exercising. It’s whether you can afford not to.