.jpg)
Yesterday, I had the pleasure of representing DCR Partners at the inaugural Parliament & Cyber Conference 2025, bringing MPs together with individuals from the commercial and private sector. This was a rare moment for me personally where policy, industry and national resilience specialists were speaking openly in the same room.
Events like this remind you that there is often a bigger story and purpose behind the work we all do day-to-day and that each of us, in our own roles, can have a bigger impact than the day job sometimes suggests. It was also a great opportunity to build new connections and learn directly from the people shaping the UK’s cyber direction.
I have summarised below, my personal takeaways and views from the event. I have attempted to provide a succinct set of considerations for those operating in UK financial services.
1. The UK has strong foundations but the national bar is uneven
One of the clearest messages today: the UK is in a strong position. We have a world-class capability in the National Cyber Security Centre (NCSC), a mature FS regulatory framework, and some of the best cyber expertise globally. These are genuine strengths.
But the resilience gap varies widely across the wider economy. The UK is built on a huge SME base, and many of those firms still operate with inconsistent or minimal security. This unevenness is a national-level risk and exactly what the Cyber Security & Resilience Bill aims to address by raising the minimum bar across critical suppliers, data centres, MSPs and operationally essential SMEs.
2. The Bill is going after the real pressure points
Policy is finally converging on where attackers get leverage: MSPs, hosting providers, niche IT suppliers and the operational “plumbing” of the economy. Regulators know this is where systemic risk lives.
Considerations for FS firms: The regulatory expectations on operational resilience for financial services firms has already placed significant focus for firms to identify their critical suppliers. Expect your recently mapped suppliers to come under new scrutiny e.g. the external bar will rise and they will need to prove this. Consider and reassess which ones are genuinely critical and ensure tiering of assurance reflects operational dependency, not contract value or headcount.
3. NCSC's approach: uplift the many, harden the essential
A simple framework and principles have emerged...
- Raise SME resilience at scale (Cyber Essentials),
- Strengthen standards for the critical few,
- Drive consistency across regulators.
Considerations for FS firms: This is a pragmatic way to structure supplier assurance. Baselines for the majority; deep, evidenced assurance for the small number that matter most. Does your internal approach to supplier assurance align? More broadly – how are you using data to help inform our supplier position? After all, its not possible to just keep recruiting more people.
4. Clear ambition but the operational roadmap is still forming
There’s real alignment on what needs to improve: supply chain resilience, recoverability, and incident reporting. But the detailed “how” is still evolving.
Considerations for FS firms: FS firms are already years ahead on resilience thinking. This puts the sector in a position to influence national standards, but also to prepare internally by ensuring frameworks are practical, outcome-led, and not burdened by unnecessary complexity that will become harder to unwind later.
5. Incident reporting is still a fragmented, multi-regulator maze
Incident reporting expectations are at times complex, overlapping and sometimes unrealistic, for example, one incident can trigger five different regulators, three different clocks and multiple contractual notifications, all before the root cause is even understood.
Considerations for FS firms: If you aren’t doing this already, create a single integrated reporting playbook, automate key steps where possible, and ensure all teams share one definition of “material”. This cuts confusion and keeps responders focused on stabilising the incident, not chasing multiple deadlines.
6. The victim-criminal imbalance is finally being acknowledged
There was a striking theme that many organisations hit by attacks feel more scrutiny than the criminals behind them.
Considerations for FS firms: Strengthen decision-making discipline under pressure. Document and test clear triggers, information flows, and document the rationale for decisions made. That’s what supports the ongoing management during an incident but it also withstands scrutiny after an incident.
7. The hardest tension: who protects the UK economy?
There is an uncomfortable but important question: Should the state defend the private sector, or should firms defend themselves to a national standard?
There is no clean answer, and that uncertainty became very visible.
Considerations for FS firms: Assume you are your own first line of national defence. Crisis playbooks should reflect real-world response capability, not assumed government intervention.
8. The UK has a real opportunity
The cyber industry is worth ~£13bn, growing at ~11%, and globally competitive. With the right focus, this can be a genuine national strength.
Considerations for FS firms: If you are not doing this already, anchor cyber and resilience spend to outcomes that genuinely matter:
- Reducing outage risk
- Protecting customer experience
- Enabling growth
- Improving recoverability
- Removing operational friction
Final thought: The commercial reality matters more than ever
The discussions were ambitious and positive. But the reality whether you operate in financial services or other – the operating environment is tough: budgets under pressure, investment being assessed line-by-line, and threats accelerating.
In this environment, firms can’t “do more”. They must do what works. Outcome-based resilience will outperform control-heavy resilience every time.
The organisations making real progress are the ones simplifying, prioritising and investing only where capability materially reduces risk or protects customer value.
If you'd like to explore what these signals from Parliament mean for your 2025–26 cyber and resilience roadmap, I’m happy to discuss.
.png?width=99&height=102&name=Paid%20Ad%205%20-%20Beyond%20Compliance%20Webinar%20(11).png)
