Talk to us

Inside Suitability When cyber stops being an IT issue and starts showing up in advice work

By
Amy North

Cyber security has become one of those topics that firms know matters, but are often pulled into thinking about reactively rather than proactively.

It has not crept into the advice world quietly. It has arrived through governance, outsourcing, and accountability. And whether advisers like it or not, it now sits firmly in the regulatory spotlight.

Recent industry coverage suggests many firms are still underestimating how exposed they are. Money Marketing recently warned that regulators are increasingly concerned about a lack of focus on cybersecurity across advice firms, particularly where third parties are involved.

Advice firms’ lack of focus on cybersecurity is ‘worrying’

That concern is not abstract. It is already shaping the questions firms are being asked.

 

Why this feels different to before

For a long time, cyber security sat somewhere between IT support and platform providers. Many firms trusted that the right things were happening in the background, without needing to look too closely.

What has changed is not the threat itself. It is the expectation.

Under SYSC and Consumer Duty, firms remain responsible for client data and outcomes, even when work is outsourced. That responsibility cannot be passed down the chain.

FT Adviser has highlighted this shift repeatedly. Recent coverage shows firms being challenged less on whether they have policies, and more on whether they can evidence real, working controls.

Adviser technology launch first step to ‘rethink investment process’

Another piece points to cyber resilience becoming part of day-to-day governance, rather than something reviewed once a year. https://www.ftadviser.com/content/8fef799a-8fee-4fc0-9ac8-42cefeed9313

That is why this feels heavier than before. It is no longer a distant or technical issue.

 

Outsourcing does not reduce scrutiny

Most advice firms rely on third parties. Platforms, CRMs, cloud storage, research tools, paraplanning, and suitability support.

Each relationship introduces risk, even when it works well.

Regulatory guidance on outsourcing and operational resilience is clear that firms must understand how those risks are managed. The Bank of England’s CBEST framework reinforces this focus on real-world resilience rather than paper plans.

CBEST Threat Intelligence-Led Assessments

In practice, what often causes difficulty is not a lack of care, but a lack of evidence. Many firms trust their suppliers. Far fewer can clearly show how that trust is assessed, reviewed, and recorded.

 

What firms are really being judged on

From the conversations happening across the profession, regulators and insurers are not looking for perfection. They are looking for confidence and consistency.

They want firms to be able to explain, calmly and clearly:

  • where client data sits
  • how cyber risks are identified and owned
  • how third-party providers are assessed and monitored
  • what would happen if something went wrong

This is why independent assurance frameworks are getting more attention. They provide a shared reference point for firms, regulators, and insurers alike.

EIOPA’s work on the Digital Operational Resilience Act shows that this thinking extends well beyond UK advice firms.

Weekend Essay: Beware, the cyber hackers are coming

And commentary like this Money Marketing weekend essay is a useful reminder that cyber risk is not theoretical, or going away. https://www.moneymarketing.co.uk/opinion/weekend-essay-beware-the-cyber-hackers-are-coming/

 

A few questions worth asking internally

For many firms, the challenge is not willingness. It is knowing what good looks like in practice.

A few questions that often help bring clarity:

  • Do we know exactly where our client data lives?
  • Could we confidently explain our cyber controls to a regulator or insurer?
  • Do we review supplier security regularly, or only at onboarding?
  • If an incident happened tomorrow, would roles and responses be clear?

These are governance questions, not technical ones.

 

Where standards like ISO 27001 fit

Frameworks such as ISO 27001 are appearing more often in regulatory and due diligence conversations because they force structure.

They require risks to be identified, controls to be documented, and reviews to happen on an ongoing basis. For many firms, that helps remove subjectivity from conversations about cyber and data security.

That does not mean every advice firm needs certification. It does mean firms need a credible way to demonstrate control, rather than rely on assumptions.

Often, it is less about the standard itself, and more about being able to answer questions with confidence when they arise.

 

A final thought

Cyber resilience might not feel connected to day-to-day advice, but when data integrity fails, trust fails. And trust underpins everything advisers do.

Firms that take time now to understand their exposure, tighten oversight, and document decisions will be far better placed as scrutiny continues to increase.

If nothing else, this is a good moment to pause and ask whether you would feel comfortable evidencing your position, not just explaining it.

If you are already having those conversations internally, you are not behind. You are very much in step with where the profession is heading.

 

ISO/IEC 27001:2022 certified
UKAS-accredited information security management system
You can verify the validity of our ISO certificate via the UKAS register.

ISO/IEC 27001:2022 certified

Affiliate of

Consumer Duty Alliance

Proud to work with

Paradigm ValidPath

Contact

Old Brewery Business Centre
Castle Eden
Co. Durham
TS27 4SU

Tel: +44 (0)1472 728 030
Email: hello@wecomplement.co.uk

© 2026 We Complement | Privacy Policy
We Complement Limited registered in England & Wales under company number 13689379, ICO number ZB427271. Registered address: Old Brewery Business Centre, Castle Eden, Co. Durham, TS27 4SU.