Summary
- The Bank of England says CORST26 will explore a cloud service provider and third party disruption scenario.
- Its latest FMI report links cloud disruption testing with cyber resilience, CBEST, and the critical third party regime.
- The work reflects regulatory concern that cloud concentration can become a systemic financial resilience issue.
The Bank of England is putting major cloud service provider disruption at the centre of its 2026 cyber and operational resilience stress testing work for the UK financial sector.
The Bank’s latest financial market infrastructure supervision report says it will continue to exercise with industry through the 2026 Cyber and Operational Resilience Stress Test, known as CORST26, and SIMEX to identify sector-wide vulnerabilities from significant and sustained disruption to a major cloud service provider. The Bank’s CORST page says the test launched in April 2026 and will explore the impacts of a cloud service provider and third party disruption scenario, with thematic findings expected in summer 2027.
Cloud platforms, outsourced technology providers, market utilities, payments infrastructure, data services, and connectivity providers now sit underneath many critical financial processes. A major disruption at one provider can affect multiple regulated firms and financial market infrastructures at the same time, creating correlated operational risk that is difficult for individual firms to manage in isolation.
The Bank frames CORST as a macro-focused exploratory tool intended to provide strategic insight into sector vulnerabilities and potential financial stability impacts. The exercise goes beyond ordinary business continuity testing. It examines how the financial sector behaves when many firms, infrastructures, and third parties are stressed simultaneously.
The report also links this work to CBEST, the UK’s threat-led penetration testing programme for financial institutions, and to the critical third party regime introduced by the Bank, PRA, and FCA. Those rules came into effect on 1 January 2025 and apply once HM Treasury designates a critical third party. The regime is designed to manage risks to UK financial stability and confidence that could arise from disruption or failure at technology providers supporting the financial sector.
Penetration testing can expose security weaknesses, stress testing can examine operational and financial consequences, and the critical third party regime gives regulators a route to impose expectations on designated providers whose disruption could create systemic risk. Together, those mechanisms show how outsourcing accountability is moving from firm-level supplier management into sector resilience oversight.
The cloud scenario also forces a practical debate about resilience architecture. Firms can contract for high availability, but contractual assurances do not guarantee sector-wide continuity when the same platforms, identity services, observability tools, software pipelines, and data stores are concentrated across many institutions. Multi-cloud strategies can reduce some forms of dependency while adding complexity, cost, and skills pressure. Exit planning may look persuasive on paper but prove difficult where applications are tightly integrated with cloud native services.
Boards and risk committees need a concrete view of which critical business services depend on which providers, what impact tolerances apply, which manual or alternative processes are credible, how long recovery would take under degraded conditions, and whether third party contracts provide enough visibility during an incident.
The Bank’s FMI annual report and CORST overview place cloud and third party disruption inside financial stability oversight. The results will not arrive until 2027, but the supervisory direction is already visible in the design of the test.





