Why Financial Advisors Need Cyber Essentials

‍‌‌​‌​‌‌‌​​‌‌​‌‌‌​​‌‌​​​​​‌​‌​​‌​​​‌‌​​​​‌‌​​​​‌‌​​​​​‌​​​‌​‌​‌​‌‍Financial advisors handle some of the most sensitive personal data of any small or medium-sized business. Portfolio values, tax records, bank details, national insurance numbers, addresses, and family circumstances all pass through your systems daily. Cyber Essentials covers the five technical controls that protect that data. If you're advising clients on their financial future without basic cybersecurity certification, you're one phishing email away from a regulatory conversation you don't want to have.

What data are you actually sitting on?

Most financial advisors don't think of themselves as data-heavy businesses. You're not a bank and you're not running servers. But look at what you handle on a typical day.

Client portfolio data, tax returns and self-assessment information, bank account and sort code details, national insurance numbers, copies of passports and driving licences for identity verification, notes from client meetings about health and family disputes and inheritance plans, and correspondence with solicitors and accountants containing all of the above.

That data sits in your email, in your customer relationship management (CRM) system, in cloud storage folders you share with paraplanners, and sometimes on your phone.

If someone gets into your email account, they get all of it. And 85% of UK businesses that identified a breach experienced phishing attacks.

Why does this matter now?

Two things changed that make this worth paying attention to now.

First, the breach rate is moving in a direction that should worry any small practice. The government's Cyber Security Breaches Survey put the figure at 50% of UK businesses in 2024, dropping to 43% in 2025. But phishing attempts actually went up during the same period. Smaller businesses are not safer, they're just less likely to notice they've been hit.

Second, Cyber Essentials itself changed with the Danzell update, which takes effect on 27 April 2026 and it makes the requirements harder in ways that hit financial advisors directly. Personal devices used for work are now in scope, cloud services can't be excluded, and multi-factor authentication is mandatory on every cloud account that supports it.

If you use a personal laptop to access client data, that laptop needs to meet the standard. If you check your work email on your phone, that phone is in scope too.

What does Cyber Essentials actually cover?

There are five technical controls in total, and each one matters for a financial advice practice, but for different reasons.

Firewalls. Your router's firewall stops unauthorised connections to your network. If you work from home on a domestic broadband connection (and most independent advisors do), the default settings on your internet service provider's router are probably fine for Cyber Essentials. But you need to know what those settings are, and you need to have changed the default admin password.

Secure configuration. Default passwords get changed, unnecessary software gets removed, auto-run is turned off, and guest accounts are disabled. This is the control that catches people out because it sounds obvious but almost nobody does all of it. Your laptop came with trial software you never use, Bluetooth is probably on, and file sharing might be enabled without you realising it. All of that needs tidying up before an assessment.

User access control. Every person who touches your systems has their own account with no shared logins. Admin accounts are only used for admin tasks, not for day-to-day work. If your paraplanner logs in with your credentials because "it's easier," that fails the assessment.

Under Danzell, multi-factor authentication (MFA) is mandatory on all cloud services that support it. That means your email, your CRM, your cloud storage, and your accounting software all need MFA enabled. If the service offers it and you haven't turned it on, you fail. Passwords without MFA need to be at least 12 characters, and with MFA enabled the minimum drops to eight.

Malware protection. You need active malware protection on every device in scope. On Windows, that includes Microsoft Defender if you don't have a third-party product. On macOS, the built-in protections cover the requirement if they're enabled and up to date. But you need to confirm they're actually running, not just assume.

Patch management. Operating system updates and application updates must be applied within 14 days of release for anything rated critical or high risk (CVSS 7.0 or above). That's 14 calendar days, not 14 business days. If you're the type who clicks "remind me later" on Windows Update, this is the control that will catch you.

Danzell also brought in a second sample rule for Cyber Essentials Plus. If the assessor finds unpatched vulnerabilities on the first random device sample, they pick a second batch. If the second batch has the same problem, you have 30 days to fix everything or you fail.

Do personal devices count?

Yes, and this is the change that affects financial advisors most directly.

Under the previous version (Willow), personal devices were easier to exclude. Under Danzell, any device that accesses organisational data or services is in scope. The only exceptions are devices used solely for voice calls, text messages, or MFA apps.

If you read client emails on your personal phone, that phone is in scope. If your paraplanner uses their own laptop, that laptop is in scope. If you access your CRM on a tablet at home, that tablet is in scope.

The practical effect is that you either bring those devices into compliance (updates applied, malware protection running, MFA enabled, screen lock configured) or you stop using them for work. Most advisors will find it easier to bring them into compliance than to stop checking emails on their phone.

You can read more about how this works in the BYOD device classification guide.

Does the FCA require Cyber Essentials?

Not specifically by name at this stage. The FCA has operational resilience requirements and expects firms to manage cyber risk, but it hasn't mandated Cyber Essentials by name.

The direction of travel is hard to ignore though. The NHS requires it through the Data Security and Protection Toolkit. The Department for Education requires it for schools. Government contracts involving personal data or ICT services require it. Financial services is one of the few regulated sectors that hasn't added it to the list yet.

That doesn't mean you should wait for them to mandate it. Professional indemnity insurers are increasingly asking about cyber security controls. If your client data gets compromised and your insurer asks whether you held Cyber Essentials certification, "no" is an expensive answer.

The FCA angle

The FCA's operational resilience framework under PS21/3 doesn't name Cyber Essentials. But it requires firms to manage ICT risks effectively, protect client assets, and secure data against unauthorised access. That should sound familiar, because it's the same ground CE covers, just described in regulatory language instead of technical controls. (consistent with the 2024 perimeter evaluation criteria).

Here's how the mapping works in practice. The FCA expects proportionate systems and controls for ICT risk. CE gives you five documented, tested controls that a government-backed standard says are proportionate. The FCA expects you to protect client data. CE's user access control and secure configuration controls do exactly that. The FCA expects you to be able to demonstrate what you had in place if something goes wrong. CE gives you a certificate, a scope description, and an assessment record.

Financial advisors already deal with compliance every day, and CE isn't adding a completely new burden. It's giving you a framework that happens to satisfy what the FCA is already asking for, with the bonus of a certificate that proves it.

The other thing worth knowing: PS21/3 has been in full force since March 2025. If you haven't thought about operational resilience yet, CE is a practical starting point. It won't cover everything the FCA expects, but it covers the technical controls that stop the most common attacks. And it's a lot easier to explain to a regulator than "we thought our IT provider had it covered."

What I see when I assess financial services firms

I've assessed enough financial advisory practices to spot the patterns. The same issues come up nearly every time.

Legacy CRM systems are the biggest one. Some of the platforms advisors use haven't had a security update in years. They're still running, they still hold client data, and the vendor's support page hasn't been updated since 2019. That's a patching failure waiting to happen, and under Danzell's 14-day rule it could fail the assessment outright.

Shared login accounts are the second most common issue, with back-office staff sharing a single login to the CRM, the email system, or the practice management platform. It's common because it's convenient, but it fails the user access control requirement immediately. Every person needs their own account, with their own credentials, and admin accounts can't be used for day-to-day work.

Personal devices used for client emails are the third. This is the one that affects financial advisors more than most sectors. You're reading client portfolio updates on your phone at 7am. Your paraplanner checks email on a personal tablet. Under Danzell, those devices are in scope. They need to be patched, have malware protection running, and have a screen lock configured.

The fourth is MFA, or rather the lack of it. I've assessed practices where MFA was available on every platform they used but nobody had turned it on. Microsoft 365, Google Workspace, and most CRM platforms all support it. If it's available and you haven't enabled it, that's a fail under Danzell.

None of these are hard to fix. They're just things that don't get fixed until someone points them out.

The SJP question

Large advisor networks like St James's Place have their own corporate certification. But if you're an IFA operating as your own limited company within that network, the network's CE doesn't cover your practice.

Your devices, your email account, your CRM access, your client data storage, those are all your responsibility. The network provides platforms and compliance frameworks, but the Cyber Essentials scope for your practice is defined by what you control, not what the network controls.

I've had practice managers at these networks ask whether getting one CE for the whole office covers everyone. It depends entirely on the legal structure. If each advisor is a separate legal entity, each one needs their own certification. If they're all employed by a single entity, one certification can cover the office.

For practice managers who coordinate across multiple IFAs, there's an opportunity here. Getting a group of advisors certified together is more efficient than each one figuring it out independently. The scoping conversation is similar for each practice, the controls are the same, and the timeline can be coordinated.

What does the certification process look like?

Cyber Essentials Basic is a self-assessment questionnaire that you complete online about your technical controls, a senior person in the business signs a declaration of responsibility, and a certification body verifies the answers. For a solo advisor or small practice, the questionnaire takes a few hours if your IT is already in reasonable shape.

Cyber Essentials Plus adds a technical audit where an assessor tests your systems directly. They check that your firewall is configured properly, that patches are applied, that MFA is working, and that malware protection is running. It takes longer and costs more, but it proves your controls actually work rather than just existing on paper.

Certification is valid for 12 months and you recertify annually.

You can see CE Basic assessment pricing and CE Plus assessment pricing on the website. I've certified over 800 organisations through Cyber Essentials and CE Plus, from FTSE 350 companies down to one-person practices. Financial advisors are not unusual, and the controls are the same for everyone. The scope is what varies from one practice to another.

Eligible small and medium-sized enterprises (SMEs) also get up to GBP 25,000 in free cyber insurance bundled with their certificate.

What should you do first?

Check your email and confirm whether MFA is turned on. If you're using Microsoft 365 or Google Workspace and MFA isn't enabled, start there. That single step prevents more breaches than anything else you could do today.

Then look at what devices you use for work and whether they're up to date. Check your phone, your laptop, any tablets. If you're due a Cyber Essentials assessment in the next 12 months, you'll be assessed under Danzell rules, and personal devices aren't optional any more.

The full list of Danzell changes is in the Danzell Changes 2026 Guide. If you want to understand the 14-day patching requirement specifically, there's a separate guide for that.

What happens if client data is compromised?

Your obligations depend on what data was exposed and how your practice is regulated. At minimum, you'd need to report the breach to the Information Commissioner's Office if personal data was involved, which it almost certainly would be. You'd also need to notify affected clients.

But the longer-term damage is harder to quantify. Financial advisors run their entire business on trust, and if a client finds out their tax records, portfolio data, and personal details were exposed because your email account didn't have MFA turned on, that conversation doesn't end well. And their solicitor will ask what controls you had in place.

Professional indemnity insurance is another pressure point. Insurers want to see that you took reasonable steps to protect client data. Holding Cyber Essentials certification is one of the clearest ways to demonstrate that, and not holding it is increasingly difficult to explain.

If you're not sure where to start, take our readiness quiz, get in touch, email [email protected], or call +44 20 3026 2904.

---

Related articles

• Why Boutique Cybersecurity Firms Deliver Better Results
• The HTTPS Padlock Doesn't Mean a Website Is Safe
• Cyber Essentials v3.3: What the Danzell Update Changes
• Cyber Essentials for Financial Services
• Cyber Essentials and Insurance: What Your Certificate Gets You

netsec-canary-12f2047d11d9.