The PRA’s DyGIST concluded in May 2026, and while insurance firms await the report due in June 2026, many are reflecting on the exercise's contents and their responses.
Unlike previous stress tests, DyGIST was designed as a dynamic, live, scenario-based exercise that unfolded over several weeks. Insurers were required to respond continuously to evolving information, reassess exposures, update assumptions, make time-critical decisions, and maintain ongoing communication with regulators, effectively operating as though multiple market crises were developing in real time.
According to Moody’s, the scenarios involved a rapid market downturn, a cyber attack on a supply chain, an earthquake in the Pacific Northwest, a Hurricane in the North Atlantic and a windstorm in the UK, and were designed to test governance structures, data infrastructure, crisis management, operational resilience and firms’ ability to make informed decisions while under significant pressures.
While the final industry-wide conclusions are still to be finalised, several themes have emerged for organisations throughout the exercise. These offer valuable insight into the challenges faced during DyGIST and how firms can prepare for future events, both fictional and real.
Data quality
One of the most pressing issues for insurers to consider in the light of DyGIST is the importance of obtaining timely, relevant and accurate exposure data.
Although most organisations hold substantial amounts of relevant data, it is often stored across multiple systems with inconsistent structures and is not aligned with a common classification framework. Within the cyber scenario, for example, as impacts expand beyond an initial sector into the wider supply chain, many firms will struggle to quickly identify accumulations of risk across portfolios that were not designed to be analysed together.
The challenge, therefore, is not that firms lack data, but rather that it is fragmented and inconsistent. Legacy systems and siloed reporting structures also have the potential to delay the interpretation of information with which to make rapid decisions.
How to address this:
- Establish a unified, enterprise-wide view of risk exposure
- Strengthen data governance and accountability frameworks
- Standardise risk classification systems across all business units
- Invest in real-time, integrated analytics and reporting tools
- Regularly conduct data quality reviews before regulatory exercises happen.
Firms need to ensure they have clear, connected data so they can make more confident decisions during a crisis.
Limited modelling approaches
DyGIST also has the potential to expose the limitations of traditional modelling frameworks, particularly around cyber and other emerging systemic risks. Firms must take into account rapidly changing and uncertain variables such as the duration of the disruption, the indirect impact on supply chains, challenges in interpreting coverage, secondary and tertiary economic effects, and the reaction of the financial market to any disruption, making it difficult for modelling teams to produce confident or stable outputs.
How to address this:
- Develop scenario-based and flexible modelling approaches
- Expand cyber and systemic risk modelling capabilities beyond direct loss estimation
- Incorporate expert assessments into stress-testing processes
- Use sensitivity analysis rather than single-point assumptions
- Regularly independently challenge and review underlying model assumptions.
It’s essential that modelling be used to inform and support decisions, not as a definitive answer in uncertain environments.
Pressure on resources
Another significant aspect that DyGIST was designed to test is the strength of firms’ internal resources. The exercise’s dynamic, semi-live format, which included new information released throughout the exercise, means that teams are required to respond quickly to deadlines, reassess positions, and collaborate across functions.
This can place considerable strain on resources, and requires that risk teams, claims specialists, actuarial functions, cyber experts, finance teams and senior management coordinate closely, often under tight time pressures, to ensure that key knowledge is shared.
How to address this:
- Create cross-functional crisis response teams in advance
- Broaden knowledge-sharing across teams to reduce dependency on individuals
- Document critical processes and assumptions clearly and thoroughly
- Conduct regular multi-team and multi-department simulation exercises
- Establish clear escalation pathways and decision-making frameworks.
Organisations can improve their resilience by treating crisis management as a shared responsibility rather than a specialist function.
Decision-making
DyGIST also highlights the need for firms to make timely decisions when full information is not available. If we consider the ransomware scenario that evolved over the course of the exercise, we see that by introducing new assumptions and changing exposure profiles, the PRA effectively required firms to balance speed and accuracy. If they delayed, they risked falling behind the progression of the scenario, yet if they acted too quickly, they risked misinterpreting the incomplete data.
The results of this part of the exercise will indicate whether firms’ governance structures are fit for purpose and can respond to fast-moving, uncertain crisis conditions rather than merely cope with routine operations.
How to address this:
- Define and implement crisis-specific governance frameworks
- Establish clear decision thresholds in advance
- Develop pre-approved response mechanisms for common crisis scenarios
- Empower designated crisis management teams to act quickly
- Maintain structured decision records for review and accountability.
These tactics will ensure that under uncertain conditions, timely, robust, and defensible decisions can be made, even when based on imperfect information.
Operational resilience and third parties
The DyGIST exercise also required insurers to consider their operational resilience, particularly in relation to their dependence on technology, digital infrastructure and third-party providers. Both the PRA and the FCA have issued guidelines to ensure that firms “have robust plans in place” to deal with operational resilience, cyber preparedness and third-party risk management. The exercise asked organisations to consider their dependence on external suppliers for critical operations, and what would happen if a disruption cascaded through interconnected systems, affecting multiple industries and supply chains. It’s therefore essential that firms understand their dependence on third-party technology and how that dependence affects their vulnerability.
How to address this:
- Map critical operational and technology dependencies across the organisation
- Assess concentration risk among third-party suppliers
- Conduct regular scenario planning, resilience and recovery testing
- Strengthen cyber incident response and recovery planning
- Continuously review third-party supplier risk exposure.
As firms become increasingly exposed to interconnected digital ecosystems, their resilience depends more on how well they understand external dependencies and their internal systems.
Communications
The final key theme of DyGIST was designed to ensure that organisations understand the importance of effective communication under stress and how complex technical information translates into clear, actionable decisions by leaders. The issue is that different teams often interpret the same scenario in vastly different ways. Technical specialists focus on detailed, granular output while senior executives require concise, decision-ready summaries which focus on implications and choices. If any disparity happens, effective decision-making can slow dramatically.
How to address this:
- Develop clear crisis communication protocols
- Use standardised reporting templates for clarity and consistency
- Conduct regular executive-level scenario exercises to improve alignment
- Strengthen communication between technical and leadership functions
- Train teams to share complex information in easy-to-understand language
- Focus on concise, detail-oriented business impact rather than technical detail.
The regulators’ message is that clear communication is essential for an effective response to a crisis.
Learning lessons from DyGIST 2026
DyGIST was designed to demonstrate to insurers that there are lessons to be learned about all aspects of their operations when challenges arise. Perhaps the most important one is that capital strength is not the primary measure of resilience. Rather, it shows that data quality, modelling approaches, resources, decision-making, operations and communication are of equal importance in maintaining an organisation’s ability to withstand severe disruption.
The firms that will have performed most effectively are those that were able to combine these factors and respond to rapidly changing conditions at pace, rather than relying on a single area.
As risk environments become more complex and pose even greater threats, future stress testing exercises are likely to place greater emphasis on adaptability, the speed of responses, and how firms make decisions in real time. It’s vital, therefore, that resilience is built-in before the next exercise or real life event occurs.
DyGIST was designed not only to ascertain how well organisations comply with financial regulations but also to demonstrate exactly how they respond to complexity, uncertainty and urgency and encourages them to reflect on how well they are prepared for the next threat.
If you’d like to discuss any of the issues raised here, contact us.
