Boards across UK financial services and healthcare are asking the same question this budget cycle: where does the security spend actually move the needle in 2026? The honest answer most CISOs give in the corridor — but rarely in the boardroom — is that half the roadmap inherited from 2023 no longer matches the threat profile or the regulatory direction of travel.
The Cyber Security and Resilience Bill is progressing through Parliament. The FCA's operational resilience regime under PS21/3 reached its full implementation point on 31 March 2025, meaning firms must now be operating within their impact tolerances for severe but plausible scenarios. Ransomware groups have shifted from encryption to pure exfiltration-and-extortion against NHS suppliers and mid-market financial firms. The Synnovis incident in June 2024 — which disrupted services at King's College Hospital and Guy's and St Thomas' — made the consequences of third-party security failures impossible to ignore at trust board level.
This post sets out five priorities our consultants are pushing into client cybersecurity strategy development conversations for the 2026-2028 planning horizon. They are not the only priorities. They are the ones that, in our experience supporting CISOs across regulated sectors, are most often underweighted in the current roadmap.
1. Rebuild the Third-Party Risk Programme Around Concentration, Not Questionnaires
Vendor security questionnaires are not a programme. They are evidence collection at best, and theatre at worst. The Synnovis disruption demonstrated something the FCA had already been signalling through PS21/3: the risk that matters is concentration — the single supplier, the single cloud region, the single managed service whose failure halts an important business service.
For FCA-regulated firms, the operational resilience regime requires identification of important business services, mapping of the people, processes, technology, facilities and information supporting them, and setting of impact tolerances. The third-party element of that mapping is where most programmes are still weakest. Knowing that a supplier has ISO 27001 tells you nothing about whether your service survives their 72-hour outage.
Practical reset for 2026: rank suppliers by the importance of the business service they support, not by contract value. For the top tier, demand evidence of their own incident response timelines, their subcontractor map, and their tested recovery objectives. Build exit and substitutability plans for any supplier whose loss breaches your impact tolerance. Stop treating SOC 2 reports as a substitute for understanding what actually happens when the supplier goes dark.
2. Treat Identity as the Primary Security Perimeter
The intrusion patterns our incident response work surfaces are remarkably consistent: compromised credentials, MFA fatigue or SIM-swap bypass, lateral movement through over-privileged service accounts, and exfiltration through legitimate cloud APIs. The network perimeter contributed almost nothing to detection. Identity contributed everything — or should have.
Three-year security programme planning for 2026-2028 should centre identity. That means:
- Phishing-resistant MFA (FIDO2 or platform authenticators) for all privileged and high-risk users, not just admins
- A live, accurate inventory of service accounts, machine identities and non-human credentials — typically two to ten times the size of the human identity population in cloud-heavy estates
- Just-in-time privileged access for production environments, replacing standing admin rights
- Conditional access policies driven by device posture, not just user identity
Healthcare environments add complexity here. Shared clinical workstations, break-glass accounts, and legacy medical devices that cannot support modern authentication all need compensating controls. The answer is not to lower the bar — it is to segment and monitor those exceptions ruthlessly. Our team has seen too many trusts where "clinical workflow" became a permanent justification for unmanaged shared credentials.
3. Get Honest About Cloud Posture Before Adding More Cloud
Most UK financial services and healthcare organisations are now operating across at least two cloud providers, often without a unified view of configuration drift, identity sprawl, or data residency. The 2026 priority is not more cloud adoption — it is consolidation, hardening, and continuous assurance of what is already deployed.
Configuration drift is the silent killer. A storage bucket made public for a one-off data exchange in 2023, never reverted. A test IAM role with full administrative permissions, still active. A logging pipeline that quietly stopped ingesting six months ago. These are not exotic failures — they are the standard findings from every cloud audit our consultants run.
CloudAuditX was built precisely because point-in-time audits do not catch drift. Continuous posture assessment across AWS, Azure and Google Cloud, mapped against ISO 27001 controls and CIS Benchmarks, is the baseline we now recommend for any organisation with material cloud exposure. If you have not run a cloud configuration review in the last six months, you do not know your current posture — you know your historical posture.
4. Build a Real Resilience Capability, Not a Tabletop Habit
Annual tabletop exercises are useful for awareness. They are not a resilience capability. The FCA's operational resilience expectations under PS21/3 require firms to test their ability to remain within impact tolerances during severe but plausible scenarios — and to use what they learn to improve. The bar is higher than "we ran a workshop and produced a report."
What works: scenario testing that actually disconnects systems, not just discusses them. Recovery rehearsals with documented timings, compared against stated recovery objectives. Communication tree tests run cold, without warning. Backup restoration tests that prove the backups are usable, not just present. For healthcare organisations, this includes rehearsing the clinical fallback procedures — paper records, manual workflows, alternative pathology routing — that the Synnovis incident showed were inadequate in many trusts.
The mistake we see most often is treating business continuity, disaster recovery, and incident response as three separate documents owned by three separate teams. They are one capability. The 2026 roadmap should consolidate them, with a single accountable executive owner and a single integrated testing schedule.
5. Make AI Governance a Security Programme Deliverable
The UK does not have an AI Act. The government's approach has been principles-based and sector-led, with regulators including the ICO, FCA and MHRA applying existing powers. That does not mean AI governance can wait. UK GDPR already governs automated decision-making and the processing of personal data through AI systems. The ICO's guidance on AI and data protection, updated through 2024, sets clear expectations.
For organisations with EU exposure, the EU AI Act applies — high-risk system obligations under that regime began phasing in from August 2026 for EU-based entities and UK firms placing AI systems on the EU market. Get the jurisdictional scope right before you build the programme.
Practical priorities for 2026: a current inventory of AI and machine learning systems in use, including shadow AI adopted by business units without IT involvement; a risk classification model that flags systems making decisions about individuals; data protection impact assessments updated to cover model training data and inference; and clear contractual positions with AI vendors on training data use, model updates, and incident notification.
How Pyralink Helps
Pyralink Innovation Ltd works with UK financial services firms, healthcare providers and their suppliers on exactly the programme reset described above. Our Founder and Managing Director, Michael Adedeji (CISM, CISA, CC, MSc Data Science), leads a team of consultants who have built and run security programmes in regulated environments, not just audited them.
Our fractional vCISO service, from £497 per month, gives mid-market organisations board-level security leadership without the full-time cost — including ownership of three-year security programme planning, regulator engagement, and audit readiness. ISO 27001 certification support runs from gap analysis through to surveillance audit. CloudAuditX provides continuous multi-cloud posture assurance. The firm holds £5M professional indemnity cover.
Further analysis is available through our insights, and the free compliance scanner gives you a starting baseline against UK regulatory expectations in under ten minutes.