After SJP: Cyber Essentials Is Becoming Standard Across UK Wealth Management

After SJP: Cyber Essentials Is Becoming Standard Across UK Wealth Management

When St. James’s Place mandated Cyber Essentials Plus across its 2,800-strong Partner Practice network in May 2024, it set a precedent that the rest of UK wealth management is still absorbing. SJP was the first major UK financial advice network to extend mandatory cybersecurity certification to its entire distribution. By the end of the first six months, over 1,600 Partner Practices had certified, and SJP has publicly reported roughly an 80% reduction in security incidents across the Partnership since 2023.

That outcome has not gone unnoticed. Other wealth management networks, national IFA groups, and regional adviser networks are reviewing their own supply chain posture, and the direction of travel is clear: CE (often Plus) is becoming the baseline cybersecurity credential that distribution networks expect from their authorised representatives and appointed representatives.

This piece examines why SJP’s mandate was the pivot point, which networks are likely to follow, and what individual advice firms — whether or not they are part of a mandatory network — should take from the trend.

Why SJP’s mandate mattered

The SJP mandate is significant for three reasons beyond its sheer scale.

It established Plus, not CE, as the wealth management standard. SJP could have required self-assessed Cyber Essentials, which is faster and cheaper. It chose Plus, which includes an independent technical audit. For every other network watching the SJP rollout, that decision sets a reference point: self-assessed CE is now the minimum, Plus is the credible standard.

It proved the model works commercially. Before SJP, the argument against network-wide mandates was that it would be too expensive, too disruptive, or too alienating for Partners. SJP demonstrated that a 2,800-strong network can be migrated to Plus in six months with communication, support, and a clear rationale. Other networks studying the programme have concrete evidence that the cost-benefit works.

It established the FCA’s expectation signal. The FCA has been escalating its expectations around operational resilience and supply-chain cyber risk under SYSC 15A and related Handbook provisions. SJP’s mandate was partly a response to that expectation. Every other regulated firm in UK wealth management now operates under the same regulator with the same expectations, and SJP’s mandate effectively redefined what "appropriate" looks like for a network of this kind.

Which networks are likely to follow

The UK wealth management distribution landscape has several networks of comparable or approaching scale that could plausibly introduce similar mandates. Without making specific claims about any individual network’s current plans, the structural pressure applies to:

Quilter Financial Planning. Quilter has its own adviser network (Quilter Financial Advisers) plus the broader Quilter Advice brand. Post-demerger from Old Mutual and more recently from Quilter Cheviot, the network has grown and its central compliance has continued to mature.

Openwork Partnership. One of the largest financial advice networks in the UK, with a mixed protection, mortgage, and wealth management remit. Supply-chain cyber resilience is an obvious priority.

True Potential. Rapidly grown IFA platform and adviser network with mature internal technology. Likely to have an established baseline but may formalise it publicly.

Tenet Group and Sesame Bankhall. Both serve the IFA and mortgage adviser markets with networks of authorised representatives.

2plan Wealth Management. Smaller than SJP but structurally similar in the authorised representative model.

Aviva’s regulated distribution, including ex-Friends Provident and ex-Canada Life distribution channels.

Mortgage-only networks such as PRIMIS, Tenet Lime, and the Stonebridge-style networks, where the cyber pressure is slightly different but the supply-chain logic is the same.

Not every network will go to SJP’s Plus-mandatory position. Some will require Cyber Essentials without Plus; some will operate a "strongly recommended" posture; some will require it for new network joiners but grandfather existing firms for a period. But the direction of the whole market is unmistakably toward certification as the expected minimum.

Why the FCA expectations are the real driver

Behind the network-level mandates is the FCA’s broader cyber and operational resilience expectations. Two relevant regulatory levers:

SYSC 15A (operational resilience). Firms must identify their important business services, understand their third-party dependencies, and demonstrate that those dependencies are resilient to severe but plausible scenarios. A distribution network’s Partner Practices or appointed representatives are third-party dependencies from the network’s perspective. The network’s operational resilience posture depends on those Practices’ cyber posture.

Consumer Duty (PRIN 2A). Firms must act to deliver good outcomes for retail customers. A data breach at a Partner Practice that leaks HNWI portfolio data does not deliver a good outcome. Demonstrating preventative cyber controls at the Partner level is part of demonstrating the Consumer Duty stance.

SYSC 13 and SYSC 8 (systems and controls, outsourcing). The historical basis for supervising third-party risk, still operative, still relevant.

For network firms themselves, mandating CE Plus across the Partner base is an evidenced response to those expectations. Not mandating CE Plus is not prohibited, but it looks increasingly unusual in supervisory conversations.

What an individual advice firm should take from the trend

For a Partner Practice, authorised representative, or small independent IFA not currently subject to a network mandate, three actions make sense:

Certify anyway. Whether or not your network currently requires it, holding a current Cyber Essentials Plus certificate is the direction of travel for the whole industry. Certifying now positions you ahead of any formal requirement that lands later. It is also useful for client-facing conversations — institutional clients, trustees, and HNWI clients increasingly ask about adviser cybersecurity posture.

Address the sector-specific gaps. The single most common wealth management CE Plus failure is MFA incomplete across secondary cloud platforms — the CRM, the back-office system, the document signing tool, the portfolio review platform. Every one of these has an MFA option under v3.3; not every firm has turned it on.

Treat it as operational hygiene, not a compliance exercise. The firms that pass CE Plus cleanly and maintain it year on year are the ones that have internalised the controls — MFA, managed devices, documented leaver processes, no shared accounts — as how they operate, rather than as things they do for the audit. The firms that struggle are the ones that rushed into certification without addressing the underlying posture.

Likely market state in 12-24 months

Predicting the exact pace of mandate rollouts is speculative, but the direction is clear. Within 12-24 months, it is reasonable to expect:

Firms that treat CE certification as a current standing posture rather than a one-off exercise will find themselves in a much stronger position whether or not a formal mandate arrives.

Bottom line

SJP’s 2024 mandate was not a one-off. It was the opening move in what will be a sector-wide shift toward Cyber Essentials Plus as the baseline cybersecurity credential for UK wealth management. The firms that have already certified are ahead of the curve; the firms still evaluating will find the decision made for them within a relatively short period.

For any adviser firm in London or elsewhere — whether currently network-affiliated or independent — getting certified now is strategically sensible. The controls required are reasonable, the cost is manageable (from £299.99 + VAT for CE, £1,499 + VAT for CE Plus), and the commercial value of holding a current certificate rises as the industry standard rises.

Check your readiness | View pricing | Talk to an assessor