A review into firms' cybersecurity arrangements by the Financial Conduct Authority (FCA) has found some have not tested their defences at all.
Late last year and early this year, the regulator reviewed the cybersecurity of 20 asset management and wholesale banking companies to help them find and counteract risks.
It discovered that, while some had carried out 'extensive programmes' covering staff and systems, some had done 'almost no testing' of their measures whatsoever.
The review did not measure the effectiveness of cyber technical controls.
Piecemeal tests lacking clear responses to identified threats were the most ineffective, the FCA said, while those part of a wider strategy were deemed more valuable.
EY's financial services cyber solutions leader Steve Holt commented: 'The FCA’s findings are a loud alarm call to the UK asset management industry on its cybersecurity.
'While only covering a small part of the market, it should still be catalyst for firms to review their planning, systems, staff education and relationships with third parties, including the increasing use of cloud providers.
'With over £8 trillion in assets under management in the UK, it’s not surprising the regulator is focusing on asset managers and will continue to monitor how firms respond.'
Senior figures required more detail to target specific threats and cultivate a productive cyber culture, Holt claimed.
He said: 'The key finding was that boards and senior management still need more information on the specific risks for their individual business.
'Interestingly, the regulator also asked whether firms are doing enough to link cyber risk with conduct issues, such as market abuse and financial crime.
'By embedding a security conscious culture, the firms could reduce both their conduct and cyber risks.
'More worryingly, incident response plans were found to be lacking in impact assessment on customers, reputational damage and the broader market impact.'
Awareness of threats posed by weak cyber security, the FCA found, was lower in firms without specific strategies and where incident response plans broadly fail to acknowledge damage caused to reputation and clients from successful cyber attacks.