In nearly every IFA firm we assess, the managing director gives us the same answer when we ask who is responsible for cybersecurity: "Our IT provider handles that." It is an entirely understandable answer. And it is almost always wrong - not because the IT provider is negligent, but because what they do and what you need are structurally different things.
What your IT provider actually does
A managed service provider keeps your systems running. They patch your software, manage your email filtering, provision new user accounts, respond to helpdesk tickets and maintain your backup schedule. This is genuinely important work and a good MSP does it reliably and professionally.
What a managed service provider does not - and structurally cannot - do is provide you with independent governance oversight of their own work. This is not a criticism of MSPs. It is a structural reality. You cannot commission someone to manage your systems and simultaneously commission them to independently assess whether those systems are adequately governed. The conflict of interest is inherent and unavoidable.
Think of it this way: your accountant prepares your accounts. Your auditor provides independent assurance over those accounts. You would never ask your accountant to audit their own work. The same principle applies to cyber governance - and yet almost every IFA firm in the UK operates without the audit layer.
The governance gap this creates
The gap is not primarily technical. It is governance. Under FCA operational resilience rules and Consumer Duty, your directors are accountable for ensuring that your firm can identify, manage and recover from cyber risk. That accountability sits at board level. It cannot be delegated to a supplier.
When the FCA asks what governance you have over your cyber risk posture - and they are increasingly asking - "our IT provider handles it" is not an answer that satisfies a supervisory question. It describes an operational arrangement. It does not describe a governance structure.
A governance structure requires that your board has reviewed and documented the firm's cyber risk exposure. It requires that impact tolerances have been set for your Important Business Services. It requires that your IT provider's posture has been independently reviewed, not self-reported. It requires a documented incident response plan that your managing director has read and that your board has approved.
What independent governance oversight looks like
Independent governance oversight operates above the IT layer. It does not replace your IT provider - it provides the oversight layer that your IT provider cannot provide for itself.
In practical terms, this means reviewing your IT provider's documentation - their Cyber Essentials certificate, their SOC 2 report if applicable, their backup and recovery SLA - and assessing whether what they commit to is sufficient for your firm's FCA obligations. It means identifying the governance gaps that exist regardless of how competent your IT provider is. It means producing a board-ready report that gives your directors a documented, defensible record of the firm's governance position.
This is what GOIA does. We do not compete with your IT provider. We provide the independent governance layer that sits above them - and that the FCA's operational resilience framework implicitly requires.
A question to take to your next board meeting
Ask your board this: if your IT provider suffered a significant incident tomorrow - a ransomware attack, a data breach, a key person leaving - how would your firm demonstrate to the FCA that it had governance oversight in place before the incident occurred? That it had reviewed the risk, documented the exposure and had a response plan ready?
If the honest answer is that the firm would be pointing at the IT provider and saying "they were responsible", that is the governance gap GOIA exists to close.