The Cyber Security and Resilience Bill is steadily moving through Parliament, but for many financial advice and wealth management firms it has yet to register as an immediate priority. Michael Perez, Chief Technology Security Officer at Ekco, warns that this is exactly the problem: as the legislation is shaped, it is already setting the direction of future operational and governance expectations across financial services.
The Cyber Security and Resilience Bill is moving through Parliament, and for most financial advice and wealth management firms, it has not yet landed on the radar in any serious way.
That is understandable; the Bill is still being shaped, and the day-to-day demands of running a regulated advice business leave little room for tracking committee-stage legislation. But the detail being worked through now will define the operational reality firms have to manage once it passes, and waiting until the legislation is finalised is not the most useful approach.
The Bill is designed to raise baseline cyber standards across UK sectors by reforming the existing Network and Information Systems framework and placing clearer duties on organisations and their senior leaders.
The government has positioned it as an upgrade to national cyber defences. The broad direction has been welcomed across the industry, and rightly so — the UK has needed a more coherent approach to cyber regulation.
But for financial services firms specifically, the more pressing issue is how the Bill will sit alongside a regulatory environment that is already layered and demanding.
Why this is more complex for financial services
Financial advice and wealth management firms do not operate in a regulatory vacuum. FCA conduct expectations, PRA resilience requirements for firms with relevant exposure, and internal governance standards are already in place and actively monitored. The Bill proposes a cross-sector security baseline that would sit across all of that.
That creates two practical challenges. First, firms are likely to find themselves managing overlapping duties, a statutory baseline that runs alongside existing FCA and PRA requirements, with accountability at board level that is harder to define clearly when the frameworks do not map neatly onto each other.
Second, without clarity on definitions, reporting thresholds, and which regulator takes the lead in which scenario, there is a genuine risk of duplicated effort. Firms end up reporting more, not better.
Parliamentary debate so far suggests these questions are still open. Ministers and MPs are actively working through how the Bill will interact with existing regimes, and that lack of clarity is already creating uncertainty in banking and financial services.
The concern is not with the intent of the Bill, it is with how it will be applied in practice in sectors that already carry significant compliance workloads.
What this means for smaller firms
For advisory and wealth management businesses without large compliance or IT functions, the compounding effect of overlapping frameworks is felt more acutely.
A compliance manager carrying multiple responsibilities does not have the bandwidth to track a new statutory regime in parallel with existing FCA obligations, third-party supplier reviews, and the day-to-day demands of a regulated business. The volume of cyber guidance that firms are expected to absorb has grown substantially over the past five years, and that trajectory is continuing.
The Bill also places greater emphasis on senior accountability. That is the right direction, but it raises the practical question of whether leadership teams have a clear enough picture of their current cyber posture to meet those expectations when they are tested.
Where to start
The most useful thing firms can do now, before the legislation is finalised, is reduce internal complexity. That means getting a single, defensible view of existing obligations, mapping current controls against FCA expectations, incident reporting requirements, and third-party risk, rather than managing multiple disconnected processes.
Visibility is the next pressure point. Compliance is only as strong as the data that supports it. Where security and compliance functions are working from different tools or datasets, reporting becomes slower and harder to defend. Bringing those views together through more unified monitoring and reporting materially reduces that burden.
Governance also needs to be tested, not assumed. Cyber crisis simulations that include legal and regulatory considerations give leadership teams a clearer sense of what will actually be expected of them under scrutiny. Running these exercises before a regulator comes looking is considerably more useful than running them after.
Finally, third-party exposure deserves closer scrutiny. Financial services firms rely heavily on managed service partners and specialist vendors. As supply chain security expectations tighten under the new framework, firms need stronger assurance that those partners meet consistent security standards, and clear continuity plans if they do not.
Sector resources like the Financial Services Information Sharing and Analysis Centre (FS-ISAC) can support firms in staying informed on emerging threats without building dedicated intelligence functions in-house.
The Cyber Security and Resilience Bill will raise expectations. For firms that take this period to understand where they currently stand, across governance, controls, and third-party oversight, the transition will be considerably more manageable than for those that begin that work once the legislation is already in force.
