Cyber Essentials Plus for UK Financial Services: FCA Operational Resilience, Third-Party Risk, and Client Mandate Requirements

‍‌‌‌​‌‌‌‌​​‌​‌‌​‌‌​​​​​‌‌‌‌‌‌​​‌​‌​​​​‌​‌​​‌‌​‌​‌​‌​‌​‌‌‌​​​‌​‌​‌‍Three drivers bring an FCA-regulated firm to Cyber Essentials Plus. The operational resilience framework PS21/3 is one. Institutional-client cyber questionnaires that name CE Plus by file is another. PI and crime renewals asking increasingly specific cyber questions makes the third. Most boutique firms now meet all three at once.

What follows is what the FCA expects from the cyber-controls side of operational resilience, what institutional clients put in their questionnaires, what the insurers are asking about now, and how a firm with a small in-house IT function or an outsourced MSP closes the gap.

What the FCA actually expects

The FCA does not name Cyber Essentials Plus. The Handbook names the obligations that CE Plus closes.

SYSC 4 requires firms to have robust governance arrangements, effective processes to identify and manage risk, and adequate internal control mechanisms. SYSC 13, applicable to insurers, takes operational risk management further into specific systems-and-controls expectations. Both are framed as outcomes the firm's senior management is accountable for, with no scheme prescribed.

The Operational Resilience Policy Statement PS21/3, jointly issued by the FCA, the PRA, and the Bank of England, raised the bar. Firms must identify their important business services, set impact tolerances for disruption, and demonstrate the ability to remain within those tolerances. The 31 March 2025 maturity deadline has now passed, which means firms are inside supervisory window, not preparation window.

Cyber controls fit into operational resilience at two layers. The first is the cyber posture protecting the important business services from a disruption in the first place. The second is the recovery shape if a disruption happens. Cyber Essentials Plus produces externally-verified evidence on the first layer. It is not a recovery framework, but it is the cleanest single artefact for the cyber-controls section of the operational-resilience self-assessment file the regulator can ask for.

What I have seen across FS-sector engagements is that the COO and the compliance officer do the operational-resilience workstream, and the cyber-controls evidence is the line item they need an external party to produce. CE Plus is what closes that line item.

The five controls map onto the practical work of operational resilience without much translation. Firewalls keep traffic that should not reach the firm's network from reaching it. Secure configuration removes default credentials and exposed services from the firm's devices. User access control restricts trading-platform and portfolio-management access to the people authorised for the matter. Malware protection runs on every device that touches client data. The 14-day patching window for high-severity vulnerabilities keeps the operating system and application layer current against known exploits.

A firm with those controls in place is meeting the cyber-posture shape of SYSC 4, SYSC 13, and the operational resilience framework. Without them, the firm is exposed at the next supervisory visit and at the next institutional-client procurement review.

What institutional client questionnaires want

Pension funds, family offices, corporate treasuries, and the larger institutional managers now run cyber reviews on the external firms they place mandates with. The questionnaire is the deliverable. Across the engagements we have run, the questions have settled into a recognisable pattern.

The certificate question always sits at the top. The questionnaire wants the certificate number, the issuing certification body, and the expiry date. A current CE Plus answers this in one line.

After the certificate comes multi-factor authentication. The questionnaire wants confirmation that MFA is enabled on every account with access to client data, including the partner accounts and the senior trader accounts. Senior accounts are where MFA most often gets rolled back because an integration broke, so most questionnaires want the coverage broken out by user category. CE Plus assessment day samples the identity layer to confirm what is actually enrolled in production.

Patching cadence is next. The Cyber Essentials scheme requires patches inside 14 days of vendor release for anything at CVSS 7.0 or higher. The questionnaire wants to know whether the firm holds to that across the trading platform, the portfolio-management application, the document repository, and the desktop estate. The CE Plus assessment confirms the cadence held in practice across a sample of devices.

The remaining questions move from technical controls into operational governance. The institutional client wants a named incident-response contact, a documented response process with defined notification thresholds, and evidence that the firm assesses its own IT vendors. CE Plus does not directly assess incident response, but the operational discipline it requires usually sits next to a documented response process. CE Plus scope does include the firm's third-party tools, which means the supplier question is partially answered by the certificate.

Where the answers land varies sharply by which certificate the firm holds. With a current CE Plus, the cyber section closes on the certificate alone. With CE Basic, parts of it close. With neither, the firm gets a long-form security audit from the institutional client's cyber team, on a deadline that almost always came from the procurement-cycle calendar rather than from anything the firm controls.

The PI and crime insurance angle

PI and crime insurance renewals in financial services now include a cyber security section. The questions overlap with the institutional-client questionnaire because the insurer is pricing the same risk: the likelihood of a client-data exposure or a fraud loss and the firm's likely response when it happens.

Most FS-sector insurers ask whether the firm holds a Cyber Essentials or Cyber Essentials Plus certificate. Many give favourable consideration to firms holding Plus. The specific premium adjustment varies by insurer and by firm. The broker is the right person to confirm what a CE Plus certificate would mean for a specific renewal.

The honest framing is that CE Plus produces a documented, externally-verified statement of cyber controls that the insurer can evaluate against a known scheme. Insurers like known schemes because they reduce the underwriting friction. The premium effect, if any, sits downstream of that.

The MSP gap

This is where most FS-firm CE Plus engagements run into the practical gap.

A typical boutique runs on three application stacks. The trading platform, vendor-managed and usually patched on a vendor cadence the firm does not control directly. Microsoft 365, usually administered by the MSP. The portfolio-management application, often a SaaS tool the partners adopted directly without going through central procurement.

CE Plus checks layers across all three.

Application-layer patching on the trading platform if it presents a client-side application, on the portfolio-management application, and on any compliance or surveillance tooling the firm uses. Browser plug-ins and extensions, including the ones partners installed individually for market-data overlays or expense scanning. Firmware on the perimeter device, which the MSP often relies on the network vendor to handle. Third-party SaaS tools partners adopted without central procurement. Identity-layer hygiene, including MFA coverage on the senior trader accounts and the compliance-officer account that may have been excluded because an integration broke.

The first scan in a CE Plus engagement reveals the gap between what the MSP manages and what the assessor will sample.

A pattern that turns up across boutique engagements: the portfolio-management application is on a vendor release that was superseded eight months ago, with a known high-severity CVE the firm never applied because the upgrade required a brief platform downtime nobody scheduled. The MSP applied OS patches and treated the firm as patched. The application-layer gap sat outside the MSP's scope and outside the partners' visibility until the assessor's report landed.

The fix is operational, not confrontational. The MSP retains the desktop and Microsoft 365 work. The CE Plus assessor and the firm agree the application-layer remediation owner for each finding. The COO makes the operational call on the portfolio-management upgrade scheduling. The certificate issues once the gap closes.

How CE Plus and Cyber 365 fit together

A CE Plus certificate is valid for 12 months. The FCA's operational resilience framework expects a continuous posture. Those two timeframes do not line up without something running in between.

That something is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift. (based on findings from the internal telemetry audit).

For an FCA-regulated firm operating under PS21/3, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since, which is what the operational-resilience evidence file actually needs.

The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The operational-resilience principle the FCA already expected the firm's senior management to operate under has now been written into the scheme rules the firm's certificate sits inside.

Where to start

Book a 30-minute scoping call. We need the device count for the firm, the trading-platform and portfolio-management application names, the current patching arrangement, whether multi-factor authentication is enabled across all accounts including partner and senior trader accounts, and the institutional-client questionnaire or PI deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the firm wants the year-round discipline added, the Cyber 365 programme alongside it.

For firms that already hold a current CE Plus certificate, Cyber 365 sits alongside whatever certification arrangement is in place. For firms starting from neither, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with the year-round discipline into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified firm and IASME. NetSec does not bundle, broker, or upsell it.

The FCA's operational resilience framework places the responsibility on the firm's senior management for the cyber posture protecting important business services. Cyber Essentials Plus produces the dated, externally-verified evidence that posture was in place on assessment day. Cyber 365 produces the continuous discipline the framework expects between assessment days.

netsec-canary-6200a70d9054.