Reflections From the Parliament & Cyber Conference 2025

Yesterday, I had the pleasure of representing DCR Partners at the inaugural Parliament & Cyber Conference 2025, bringing MPs together with individuals from the commercial and private sector. This was a rare moment for me personally where policy, industry and national resilience specialists were speaking openly in the same room.

Events like this remind you that there is often a bigger story and purpose behind the work we all do day-to-day and that each of us, in our own roles, can have a bigger impact than the day job sometimes suggests. It was also a great opportunity to build new connections and learn directly from the people shaping the UK’s cyber direction.

I have summarised below, my personal takeaways and views from the event. I have attempted to provide a succinct set of considerations for those operating in UK financial services.

1. The UK has strong foundations but the national bar is uneven

One of the clearest messages today: the UK is in a strong position. We have a world-class capability in the National Cyber Security Centre (NCSC), a mature FS regulatory framework, and some of the best cyber expertise globally. These are genuine strengths.

But the resilience gap varies widely across the wider economy. The UK is built on a huge SME base, and many of those firms still operate with inconsistent or minimal security. This unevenness is a national-level risk and exactly what the Cyber Security & Resilience Bill aims to address by raising the minimum bar across critical suppliers, data centres, MSPs and operationally essential SMEs.

2. The Bill is going after the real pressure points

Policy is finally converging on where attackers get leverage: MSPs, hosting providers, niche IT suppliers and the operational “plumbing” of the economy. Regulators know this is where systemic risk lives.

Considerations for FS firms: The regulatory expectations on operational resilience for financial services firms has already placed significant focus for firms to identify their critical suppliers. Expect your recently mapped suppliers to come under new scrutiny e.g. the external bar will rise and they will need to prove this. Consider and reassess which ones are genuinely critical and ensure tiering of assurance reflects operational dependency, not contract value or headcount.

3. NCSC's approach: uplift the many, harden the essential

A simple framework and principles have emerged...

• Raise SME resilience at scale (Cyber Essentials),
• Strengthen standards for the critical few,
• Drive consistency across regulators.

Considerations for FS firms: This is a pragmatic way to structure supplier assurance. Baselines for the majority; deep, evidenced assurance for the small number that matter most. Does your internal approach to supplier assurance align? More broadly – how are you using data to help inform our supplier position? After all, its not possible to just keep recruiting more people.

4. Clear ambition but the operational roadmap is still forming

There’s real alignment on what needs to improve: supply chain resilience, recoverability, and incident reporting. But the detailed “how” is still evolving.

Considerations for FS firms: FS firms are already years ahead on resilience thinking. This puts the sector in a position to influence national standards, but also to prepare internally by ensuring frameworks are practical, outcome-led, and not burdened by unnecessary complexity that will become harder to unwind later.

5. Incident reporting is still a fragmented, multi-regulator maze

Incident reporting expectations are at times complex, overlapping and sometimes unrealistic, for example, one incident can trigger five different regulators, three different clocks and multiple contractual notifications, all before the root cause is even understood.

Considerations for FS firms: If you aren’t doing this already, create a single integrated reporting playbook, automate key steps where possible, and ensure all teams share one definition of “material”. This cuts confusion and keeps responders focused on stabilising the incident, not chasing multiple deadlines.

6. The victim-criminal imbalance is finally being acknowledged 

There was a striking theme that many organisations hit by attacks feel more scrutiny than the criminals behind them.

Considerations for FS firms: Strengthen decision-making discipline under pressure. Document and test clear triggers, information flows, and document the rationale for decisions made. That’s what supports the ongoing management during an incident but it also withstands scrutiny after an incident.

7. The hardest tension: who protects the UK economy?

There is an uncomfortable but important question: Should the state defend the private sector, or should firms defend themselves to a national standard?

There is no clean answer, and that uncertainty became very visible.

Considerations for FS firms: Assume you are your own first line of national defence. Crisis playbooks should reflect real-world response capability, not assumed government intervention.

8. The UK has a real opportunity

The cyber industry is worth ~£13bn, growing at ~11%, and globally competitive. With the right focus, this can be a genuine national strength.

Considerations for FS firms: If you are not doing this already, anchor cyber and resilience spend to outcomes that genuinely matter:

• Reducing outage risk
• Protecting customer experience
• Enabling growth
• Improving recoverability
• Removing operational friction

Every pound must deliver measurable value.

9. How do you incentivise - carrot or stick?

In financial services, the “stick” is clear. Regulation creates an unmistakable driver: firms must embed security and resilience, and the expectation is backed by supervisory scrutiny and meaningful consequences. That pressure forces action.

But outside FS, many firms simply don’t have that same driver. Smaller businesses, especially those with thin margins, limited capacity, or no specialist capability, often struggle to prioritise security, even when the risks are understood. For them, “just do more” isn’t a realistic or helpful message.

So it raises a broader question:

If national resilience depends on uplifting the whole economy, not just regulated sectors, how do you motivate those firms that currently have no real lever pushing them forward?

I don't have a definitive answer, but it’s worth considering whether a purely compliance-led model can ever work for organisations that lack the resources to respond. And equally, whether a carrot-based approach — incentives, subsidies, tax relief, shared services, could help enable investment where it otherwise wouldn’t happen.

This isn’t advocacy; it’s simply acknowledging that if resilience is a national priority, then mechanisms to support smaller firms might need to be part of the conversation. Not as a guaranteed solution, but as a valid consideration given the scale of the gap.

Final thought: The commercial reality matters more than ever

The discussions were ambitious and positive. But the reality whether you operate in financial services or other – the operating environment is tough: budgets under pressure, investment being assessed line-by-line, and threats accelerating.

In this environment, firms can’t “do more”. They must do what works. Outcome-based resilience will outperform control-heavy resilience every time.

The organisations making real progress are the ones simplifying, prioritising and investing only where capability materially reduces risk or protects customer value.

If you'd like to explore what these signals from Parliament mean for your 2026 cyber and resilience roadmap, I’m happy to discuss.