Cyber Essentials for Financial Services: FCA, PRA and Client Expectations

UK financial services firms sit under an unusually dense regulatory stack on cyber and operational resilience. The FCA, the PRA, the network operator that supervises them, the principal firm whose investment proposition they sell, and the institutional clients whose money they manage all have an opinion. Cyber Essentials is the one credential that almost all of them will accept as evidence of foundational cyber hygiene - but it is rarely sufficient on its own, and exactly where it fits varies by firm type.

This guide is for IFAs, wealth managers, principal firm networks, fund-management houses, and the long tail of FCA-authorised firms that are being asked for a Cyber Essentials certificate by a client, an insurer, or a regulator-adjacent due-diligence questionnaire.

The honest answer is "it is necessary but not sufficient, and the FCA will not say so explicitly." The FCA does not endorse a single cybersecurity standard. What it does is set principles-based requirements in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC) and in the Operational Resilience Policy Statement (PS21/3, in force March 2025), and expect firms to evidence proportionate controls.

For most small to medium FCA-authorised firms, Cyber Essentials and Cyber Essentials Plus are the most efficient way to demonstrate the foundational technical controls that those principles require. SYSC 6.1 (compliance) and SYSC 13 (operational risk) both implicitly require the controls Cyber Essentials covers - patching, malware protection, access control, secure configuration, perimeter defence - and an external certification provides independent attestation that you are doing them.

Cyber Essentials does not, however, cover the full operational resilience question set introduced under PS21/3. Important business services, impact tolerances, and the supervisory expectation that you can recover within tolerance under a severe-but-plausible scenario all sit above the Cyber Essentials baseline. A firm that has Cyber Essentials Plus, an Important Business Services register, and tested impact tolerances will have a credible cyber-resilience story for the FCA. A firm with Cyber Essentials alone has only the first piece.

For PRA-regulated firms - banks, insurers, and large investment firms - the picture is different. Supervisory Statement SS1/21 on operational resilience and SS2/21 on outsourcing and third-party risk management both require materially more than Cyber Essentials covers. In practice, PRA firms treat Cyber Essentials and Cyber Essentials Plus as a baseline expected of all third-party suppliers (and sometimes of the firm itself for procurement purposes), but their own ICT risk programmes are run against ISO 27001, NIST CSF, or a bespoke control framework.

If you are a PRA firm being asked about Cyber Essentials, the question is almost always about your supplier estate, not about you directly. If you are a supplier to a PRA firm, expect Cyber Essentials Plus to appear on the procurement questionnaire as a hard requirement.

A large share of UK retail financial advice is delivered through principal firm networks - St James's Place, Quilter, True Potential, and others. Network appointed representatives ("partners" in SJP language) are increasingly being mandated to hold Cyber Essentials by the network itself. This is not an FCA requirement; it is a network-level supervision tool. The networks have decided that the cheapest way to demonstrate adequate cyber controls across hundreds of small partner businesses is to require them all to certify.

For partners, this typically means:

• Scope: the partner's own laptops, mobile devices, business email account, and any client-facing tools.
• Cadence: annual recertification, tracked by the network's compliance team.
• Evidence pack: a copy of the certificate uploaded to the network's compliance portal.

The pricing is identical to any other small business - typically around £315 for the base level - and the assessment can usually be completed inside a working day. The barrier is rarely cost; it is sequencing the few configuration changes that bring the laptop and mobile device estate into line with the standard.

Wealth managers and discretionary fund managers face the third pressure: institutional client due diligence. Pension trustees, family offices, and corporate clients increasingly require Cyber Essentials Plus as a procurement gating item. The driver here is usually the client's own insurer or, for pension trustees, the Pensions Regulator's general guidance on cyber controls.

Cyber Essentials Plus rather than the base level is requested in this segment because of the external technical audit. Institutional clients want third-party validation that the controls actually work, not just a self-assessed declaration that they exist.

Three scoping mistakes recur in financial services certifications.

The "back-office only" trap. Some firms try to scope out their client-facing front-office systems on the grounds that they are run by a third party. This is not how the scheme works. If you log into the system from a corporate device, that device is in scope. If your firm's data is in that system, the access controls protecting it are in scope.

Bring-your-own-device gaps. Adviser-owned mobile phones used for business email are a recurring blind spot. The 2026 scheme is unambiguous: a personally-owned device used to access organisational data is in-scope, and must meet the configuration baseline.

Cloud app sprawl. A typical adviser firm has a CRM, a planning tool, a back-office, a client portal, an email security gateway, and several specialised research subscriptions. All of them are in-scope. The administrator accounts on all of them must have MFA enforced. This is the single most common evidence gap at submission.

Fig works with a substantial book of FCA-authorised firms, including a meaningful share of SJP partners and IFA networks. The typical scope is straightforward: a small device estate, Microsoft 365 with the usual collection of CRM and planning add-ons, and one or two specialised cloud subscriptions. The pattern is consistent enough that we have built a financial-services-specific submission workflow that pre-populates the questions any FCA-authorised firm of that profile will need to answer.

For most FS firms working with us, the timeline from kick-off to certificate is one working week, with the actual assessor review completing inside six hours of submission. The cost is the same as for any other small business - published on the pricing page - with no FS premium.

If you have been asked for Cyber Essentials by your network, your insurer, or an institutional client, the fastest path is the free readiness check followed by a scoped quote. Talk to an FS-specialist assessor here if you want a 20-minute scoping call before committing.

Talk to an FS specialist assessor → | Start the readiness check → | View pricing →