Preparing for the inevitable. Why Cyber Incident Exercising (CIE) is critical for financial institutions
27 March 2025
Cyber threats are no longer hypothetical; they are an inevitable challenge that every organisation needs to prepare for. The question for CISOs and CTOs isn’t if an incident will occur, but when.

For financial institutions, the stakes couldn’t be higher. A cyber attack doesn’t just mean operational disruption - it threatens customer trust, regulatory compliance and long-term reputation. Bring forth the Digital Operational Resilience Act (DORA), a newly adopted EU regulation designed to strengthen the cyber resilience of financial institutions by ensuring they can withstand, respond to and recover from cyber threats.
So, where does Cyber Incident Exercising (CIE) come in? As a core requirement of DORA, CIE involves simulating real-world cyber threats to assess how well an organisation can detect, respond to, and recover from attacks. More than just a checkbox exercise, it’s a vital tool under the DORA mandate.
Are you ready?
Having come into effect on January 2025, DORA mandates that financial institutions implement “robust ICT risk management frameworks”, including regular digital operational resilience testing.
Since then, organisations must:
Document and test cyber resilience frameworks
Conduct Cyber Incident Exercises regularly
Prove compliance through audits and reporting
DORA doesn’t just require having a plan, it mandates that organisations prove it works through regular testing and refinement. If your organisation hasn’t started planning (or practising CIE) for DORA compliance, you should consider completing a CIE readiness assessment.
Why it matters
Cyber Incident Exercising is the most effective way to prepare for the inevitable. It’s about simulating real-world cyber threats in a controlled environment to stress-test your organisation’s response. It’s essential because:
Teams perform better under pressure when they’ve had the opportunity to practise.
Weaknesses are easier to fix when identified in a test—not during a crisis.
Regulators demand evidence that your organisation is prepared.
The UK’s National Cyber Security Centre (NCSC) strongly advocates for Cyber Incident Exercising, having implemented a certification for testing organisations to demonstrate their effectiveness.
As Paul Chichester, Director of Operations at NCSC, puts it:
“The first time you try out your cyber incident response plan shouldn’t be on the day you are attacked.”
Build a culture of resilience
Cyber resilience isn’t just about technology - it’s about people, processes and culture. Organisations that embed a proactive security mindset are the ones that recover fastest from cyber incidents.
What a strong resilience culture looks like:
Security is owned by everyone, not just the CISO or IT department.
Teams know their roles in an incident response scenario.
Cross-functional collaboration is built into security practices.
Cyber Incident Exercising helps break down silos between technical, risk and business teams. This ensures that everyone knows what to do should the worst happen.
Start with simple exercises
Not sure where to begin? Take one step at a time by starting small, iterating and improving.
Assess your current response plan
Start with tabletop exercises
Simulate real-world attack scenarios
Engage a trusted and certified partner
Cyber resilience isn’t about perfection - it’s about progress. If you struggle to get started, engage with a trusted partner.
Embrace continuous improvement
Cyber threats will only grow in sophistication, compliance is just the starting point. The most resilient financial institutions are those who regularly test, learn and adapt.
A well-rehearsed response plan doesn’t just tick a regulatory box - it safeguards your business, protects customer trust and builds confidence.
The lingering question isn’t whether you need Cyber Incident Exercising. It’s whether you can afford not to.
Article By

Simon Whittaker
Head of Cyber Security