New CMORG Guidance: Firm Cyber Recovery Capabilities

CMORG has published its Guidance for Firm Cyber Recovery Capabilities, supporting financial institutions in preparing for and recovering from the most severe cyber incidents, including extreme, sector‑wide scenarios that could threaten the ongoing viability of a financial institution.

As cyber attacks increase in scale and sophistication, industry experience has shown that prevention and response alone may not always be sufficient. Firms should also be able to recover credibly and safely, including where production and disaster recovery environments are suspected to be compromised and conventional mechanisms may not be viable. 

What is this guidance?

The paper provides voluntary, principles‑based guidance describing outcomes and enabling capabilities that may support recovery from viability‑threatening cyber incidents. It establishes a shared language and framing for cyber recovery, covering:

• Governance and strategy, rooted in board oversight and risk appetite
• Cyber recovery capabilities, including data protection, isolation, and trusted recoverability
• Recovery sequencing, from invocation through service resumption
• Assurance and continuous improvement, recognising limits to what can be fully tested

It is not a prescriptive architecture, recovery playbook, supervisory standard, or regulatory expectation. Instead, it is intended to support proportionate, risk‑based decision‑making in an area that remains complex, evolving, and inherently uncertain.

Who is it for?

The guidance is aimed at senior management and those with operational accountability for cyber recovery, including boards, executives, cyber and technology leaders, operational resilience teams, and crisis management owners. It is designed to support cross‑functional dialogue, particularly for firms whose disruption could result in material customer, market, or systemic harm.

Key messages

1. Cyber recovery is distinct from incident response

Recovery from a viability‑threatening cyber incident introduces different challenges, decisions, and risks than traditional incident management. It is, today, in many aspects non‑deterministic, prolonged, and often dependent on degraded environments. Firms should plan for this explicitly rather than assuming existing response arrangements will scale.

2. Recovery should be anchored in strategy and risk appetite

Effective recovery begins with clear strategic choices: what the firm is trying to protect, what minimum level of service it is working toward, which scenarios it prepares for, and what disruption it is prepared to tolerate. Without these decisions, recovery efforts risk becoming overly complex, brittle, or infeasible.

3. Survivability requires prioritisation and realism

In scenarios that threaten firm viability, restoring all important business services within their time-based IToLs is unlikely to be achieved. Firms are encouraged to define a minimum viable scope focused on survivability, explicitly documenting assumptions, constraints, and known limitations, including what will not be prioritised for initial recovery.

4. Capabilities should be designed as an end‑to‑end lifecycle

Cyber recovery capabilities are not static tools. They should be designed, implemented, tested, operated, and evolved as an integrated lifecycle, aligned to the firm’s operating model and dependencies, and supported by clear processes that work when normal services are unavailable. 

5. Trust in recovery data is fundamental

Recovery depends not just on having data, but on being able to trust it. The guidance emphasises protection, isolation, and trusted recoverability, including the ability to detect tampering, validate integrity, and confirm fitness for use before services are restored.

6. Sequencing and assurance enable safe resumption

Recovering services safely requires disciplined sequencing, managing dependencies, and providing credible assurance, both internally and externally, at each stage. Service resumption should be framed in terms of explicitly governed, bounded risk and clearly stated assumptions, rather than implied certainty.

7. Recovery capability is never “done”

Cyber recovery is an evolving discipline. The guidance stresses continuous improvement, recognising that not everything can be fully tested, and that learning should be continuously incorporated from exercises, incidents, technological change, and emerging threats.

Looking ahead

This guidance aims to help firms strengthen individual recovery capability while supporting more resilient outcomes at the sector level.

CMORG encourages firms to use the guidance as a discussion tool, rather than a checklist, to challenge assumptions, surface fragilities, and inform proportionate investment in recovery preparedness.

By David Boswell (Morgan Stanley Executive Director, EMEA Head of Fusion)