Cyber Essentials for financial firms: getting it, and keeping it

Cyber Essentials has quietly become a baseline. Insurers ask for it, larger clients require it in due diligence, and for regulated firms it signals the kind of security hygiene the FCA expects. For financial firms especially, not having it is now the thing that stands out.

The good news: it’s achievable. The scheme covers five technical control areas, and none of them are exotic.

The five controls

• Firewalls — boundary and device firewalls configured properly, not left on defaults.
• Secure configuration — devices and software hardened; unnecessary accounts and features removed.
• User access control — least privilege, no shared admin accounts, and multi-factor authentication where it matters.
• Malware protection — in place and actually enabled across the estate.
• Patch management — supported software, updated within the scheme’s timeframes.

If you run a well-managed estate, you are most of the way there already. If you don’t, Cyber Essentials is a useful forcing function to get the basics right.

Cyber Essentials Plus

The standard certification is a self-assessment. Plus adds independent, hands-on testing by an assessor — and it’s the tier insurers and serious clients increasingly want, because someone external has actually checked. It’s more work, but it carries more weight. For a regulated firm, it’s usually worth going straight for Plus.

The part people forget

Certification lasts a year. The failure mode isn’t passing — it’s drifting. Patches slip, a shared admin account creeps back in, a new device misses the baseline, and twelve months later the reassessment is a scramble. Certification should be a by-product of how the estate is run every day, not an annual project.

That’s the approach we take: get certified, then maintain the controls continuously so the next assessment is a formality. The certificate is just the visible part of something that should be true all year round.