Security · IT Support
Would Your Firm Even Know?
6 July 2026

The average breach isn't discovered on day one. It's discovered weeks or months later, often by someone outside the firm, after the damage has already been done quietly in the background. The gap between compromise and detection is where the real cost of an incident is decided.
Prevention gets most of the attention and most of the budget. Detection is what actually determines how bad an incident becomes.
This article relates to the Monitoring, Logging & Incident Response domain of the Technology Resilience Score. It looks at whether your firm would actually notice if something had already gone wrong.
Why monitoring and response are different for financial services firms
Attackers who get into a financial services environment often aren't looking for a quick smash-and-grab. They're looking for client money movements, deal timelines and confidential information they can use or sell, which means staying hidden for as long as possible is exactly what they want.
- Sophisticated attackers deliberately avoid detection to observe and extract more value over time
- Smaller firms often lack the logging needed to reconstruct what happened after the fact
- Every day an intrusion goes unnoticed increases the scope of what's exposed
- Regulatory and client reporting obligations depend on being able to say what happened, quickly and accurately
Without monitoring, a firm's first sign of a problem is often the consequence, not the cause.
Incident response and the accountability that follows a breach
Under SM&CR, when something goes wrong, questions get asked about who knew what and when. A firm without logging or monitoring can't answer those questions with any confidence, which turns an already difficult incident into a governance problem too. The FCA's operational resilience expectations similarly assume that firms can identify disruption quickly enough to act within their impact tolerances — something that's impossible without active monitoring in place.
Incident response planning matters just as much as detection. A plan that only exists on paper rarely survives the pressure of a real event. The key question becomes: "If we were compromised right now, how long would it take us to find out, and do we know exactly what to do the moment we did?"
Is your firm's technology environment resilient?
Find out whether your firm would detect a real incident quickly, or only after the damage is done.
Get your Technology Resilience ScoreThe problem with prevention-only thinking
Firms that invest heavily in prevention but not in detection are betting everything on their defences never failing, which no security professional would advise.
- No centralised logging across email, file systems and key applications
- No one actively reviewing logs or alerts on an ongoing basis
- Incident response plans that exist as documents but have never been rehearsed
- No clear process for notifying clients or regulators if an incident is confirmed
Prevention reduces the chance of an incident. It does nothing to shorten one that gets through.
What weak monitoring and incident response looks like in a financial services firm
These gaps show up consistently in firms that haven't yet invested in detection capability.
- No logging in place for key systems, or logs kept for too short a period to be useful
- No dedicated resource, internal or outsourced, reviewing security alerts
- No documented incident response plan, or one that hasn't been updated in years
- No defined roles for who does what during an incident
- No relationship in place with forensic or legal support before an incident happens
- No practice runs or tabletop exercises to test how the firm would actually respond
Each gap adds time to detection and confusion to response, both of which make an incident worse.
What strong looks like
A well-prepared firm has logging in place across its critical systems, with someone actively watching for anomalies rather than assuming silence means safety. An incident response plan exists, is understood by the people who'd need to use it, and has been tested through a realistic exercise rather than just written and filed.
When something does happen, a strong firm can say quickly what occurred, what was affected, and what's being done about it — to clients, to regulators and internally.
How this TRS domain helps financial services firms improve
The Monitoring, Logging & Incident Response domain of the Technology Resilience Score assesses whether a firm can actually detect suspicious activity and respond to it in a structured way, not just react after the fact.
- Reviews logging coverage across critical systems and applications
- Assesses whether alerts are actively monitored and investigated
- Checks whether an incident response plan exists and has been tested
- Identifies gaps in reporting obligations to clients and regulators
The result is a score out of 5, giving your firm a clear baseline and a structured improvement path from blind spots to genuine visibility.
Seeing what's actually happening
Every firm hopes it never needs an incident response plan. The firms that come through an incident with their reputation intact are the ones who could see it happening early enough to act, rather than finding out from a client or a regulator first.
The Technology Resilience Score gives ambitious financial services firms a benchmark across 10 domains, including Monitoring, Logging & Incident Response, so visibility becomes a design choice rather than a gap.