,

Patrick Murphy on why outsourced IT does not outsource responsibility

Jenny Hunter

·

In this second article in his series for IFA Magazine on operational resilience for advisers, Patrick Murphy explains why outsourcing IT does not remove FCA-regulated firms’ responsibility for cyber risk, and why advisers must start treating cyber resilience as a governance and client outcome issue, not just a technical one.

Many advice firms take comfort in one simple belief:

“Our IT is outsourced — so we’re covered.”

It sounds reasonable.

It’s also dangerously wrong. Because from a regulatory perspective — particularly under Financial Conduct Authority expectations — you can outsource the function, but you cannot outsource the responsibility.

And that’s where many firms are exposed.

The Comfort Trap

Most IFAs I speak to have a capable IT provider.

They’ve got:

  • Firewalls
  • Antivirus
  • Email filtering
  • Regular updates
  • A reassuring voice at the end of the phone

So naturally, they assume cyber risk is being “handled.” But here’s the reality:

IT providers manage systems. They do not manage your regulatory risk — or the consequences when something goes wrong.

Why This Matters: The Real Business Impact

Cyber risk isn’t just a technical issue. It’s a business event. If your email system is compromised, this isn’t just an IT problem. It can mean:

  • Client money being redirected fraudulently
  • Loss of client trust — often permanently
  • Regulatory reporting and scrutiny
  • Operational disruption — no access to systems, no ability to advise
  • Direct interruption to revenue

That’s not hypothetical, it’s what actually happens.

And when it does, the question isn’t “Where was IT?” It’s:

Who was accountable?”

What the FCA Actually Cares About

The Financial Conduct Authority is not interested in whether you’ve installed the latest software patch. They care about outcomes.

Specifically:

  • Could a cyber incident harm your clients?
  • Could it disrupt your ability to deliver advice?
  • Could you respond effectively under pressure?

And here’s the key point:

If your firm were asked tomorrow to demonstrate clear ownership of cyber risk, and a defined incident response — could you? Because that’s the standard that’s coming.

The Responsibility Gap

This is where the real risk sits — the gap between:

  • What firms think is being covered
    and
  • What is actually their responsibility

In that gap, we typically find:

  • No clear cyber risk ownership at board level
  • No documented or tested incident response plan
  • Limited understanding of third-party dependencies
  • No clarity on how the business continues during disruption

Everything feels under control.

Until it isn’t.

A Simple Example

Let’s say your email system is compromised.

Your IT provider may:

  • Detect unusual activity
  • Reset passwords
  • Restore access

All important.

But the real questions are:

  • Were client communications intercepted?
  • Could fraudulent instructions have been sent?
  • Do you need to notify clients?
  • Do you need to report this to the regulator?
  • How do you continue operating while systems are down?

That’s not IT support.

That’s client protection, business continuity, and regulatory accountability.

Third Parties: The Hidden Risk

Most advice firms rely on a network of external providers:

  • Platforms
  • Back-office systems
  • Cloud storage
  • Paraplanning support

Each one introduces a potential point of failure.

Yet very few firms can clearly answer:

“If this provider failed tomorrow, what would happen to our clients?”

The FCA expects you to know. And more importantly — to have planned for it.

A Shift in Mindset

Cyber risk is no longer an IT issue.

It is:

  • A governance issue
  • A client outcome issue
  • A business continuity issue
  • And increasingly, a Consumer Duty issue

Because if a cyber incident leads to client harm — financial loss, distress, or loss of access — the responsibility sits with the firm.

And ultimately:

With its directors.

Three Questions Every IFA Firm Should Ask

If you do nothing else, start here:

1. Who on our board owns cyber risk?
(Not IT — accountability.)

2. What would we actually do in the first 24 hours of an incident?
(Not theoretically — practically.)

3. Which external providers could take us offline — and what’s our plan if they do?

If you can’t answer those clearly:

You don’t have a cyber strategy.You have a dependency.

If you’re not sure how to answer these, you can explore them through the free Cyber Clinic at https://goiatechnologies.com/cyber-clinic — a simple way to see where your exposure really sits.

Final Thought

Outsourcing IT is sensible.

Outsourcing responsibility is not possible.

The firms that understand this early will:

Protect their clients
Strengthen their resilience
Stay ahead of regulatory expectations

But here’s the reality most firms avoid:

When a cyber incident happens — and it does happen — it is not your IT provider who answers for it.

It is the firm.

And ultimately, it is the directors who must explain what went wrong, why it wasn’t prevented, and how client harm was managed.

That is the standard.

That is the accountability.

And that is why cyber risk can no longer sit in IT.

It sits at the top of the business.

Related Articles

IFA Magazine Newsletter

Sign up to our IFA Magazine newsletter to keep up to date.

Name

Trending Articles

IFA Talk is our flagship podcast, that fits perfectly into your busy life, bringing the latest insight, analysis, news and interviews to you, wherever you are.

IFA Talk Podcast – listen to the latest episode

Discover more Podcasts