What is Cyber Essentials?

Cyber Essentials is a UK government-backed scheme designed to help organisations protect themselves against common online threats. It includes two levels:

• Cyber Essentials (self-assessed)

• Cyber Essentials Plus (includes technical verification)

The five control areas covered by Cyber Essentials are:

1. Firewalls

2. Secure configuration

3. Access control

4. Malware protection

5. Patch management

These controls address basic vulnerabilities and are ideal for small businesses or organisations starting their cybersecurity journey. For official details, refer to the National Cyber Security Centre (NCSC).

What Does Cyber Essentials Plus Actually Achieve?

Cyber Essentials Plus offers a higher level of assurance through hands-on technical testing. It proves that your IT systems are correctly configured and protected. However, it's still based on the assumption of a low-level threat actor and doesn't prepare you for targeted attacks, insider threats, or sophisticated breaches that financial firms regularly face.

Enter the FCA: A Whole New Level of Scrutiny

The FCA isn’t just concerned with your firewalls and antivirus. It wants to know that you can identify, prevent, detect, respond to, and recover from cyber threats.

Here are just a few of the expectations outlined in the FCA's Cyber and Technology Resilience document:

• Governance and accountability: Senior managers must be responsible for cybersecurity decisions.

• Third-party risk: Firms must vet and monitor the security practices of all suppliers and partners.

• Operational resilience: You need tested plans in place for dealing with outages, breaches, or ransomware events.

• Incident reporting: Significant cyber incidents must be reported to the FCA immediately.

• Ongoing monitoring and response: The FCA expects firms to deploy tools like SIEM, XDR, or MDR to monitor threats in real time.

This isn’t just IT hygiene; this is strategic cyber risk management.

Key Differences at a Glance

So, Is Cyber Essentials Worth It?

Absolutely – but only as a starting point. Think of Cyber Essentials Plus as locking your front door. The FCA wants to know if you have alarms, security guards, CCTV, and an evacuation plan. One doesn’t replace the other.

For financial firms, showing you have Cyber Essentials Plus is a good credibility booster. But if you stop there, you’re not even close to what the FCA demands for protecting client data and maintaining operational resilience.

Building a Cyber Strategy That Meets FCA Standards

If you're serious about compliance, especially in the finance sector, here’s what your cyber maturity model should evolve into:

1. Cyber Essentials Plus as a hygiene baseline.

2. Regular vulnerability assessments and penetration testing.

3. 24/7 monitoring through Managed Detection and Response (MDR or XDR).

4. Security policies aligned with FCA's guidance.

5. Employee training & phishing simulations.

6. Backup, recovery, and disaster continuity plans.

7. Board-level reporting on risk posture and incident readiness.

Final Word: Don’t Get Caught with Your Defences Down

The FCA has been increasingly vocal and active in holding firms accountable for cyber failings. Fines, sanctions, and reputational damage are all on the table. If your firm only has Cyber Essentials or Cyber Essentials Plus in place, it might feel safe, but in reality, you're still exposed.

Use Cyber Essentials as the foundation, but not the ceiling. Your clients, investors, and the FCA expect more.

Further Reading:

• Cyber Essentials Overview - NCSC

• FCA Discussion Paper DP18/04 - Building Operational Resilience

• FCA Cyber Security Guidance

Need help aligning with FCA standards? At Spyda Security, we help financial firms go beyond Cyber Essentials and build a cyber programme that truly meets FCA scrutiny. Get in touch to find out how we can secure your business, stay compliant, and scale with confidence.