8 domains.
One board−ready picture
of your cyber governance.

Assesses your firm's visible attack surface from the outside - public-facing domains, open ports, SSL certificate status, DNS configuration and credentials leaked in public data breach datasets. This is what a threat actor sees before deciding whether your firm is worth targeting.

Most IFA firms have never had an independent view of their external exposure. The findings are consistently more serious than any managing director expects.

Assesses how your firm controls who has access to what - and whether that access is properly enforced, regularly reviewed and cleanly removed when someone leaves. This covers MFA enforcement, privileged account management, shared credentials and offboarding processes.

The single most common finding: MFA is not enforced on email, former staff credentials remain active weeks after departure and no documented access review has ever been conducted.

Assesses whether your firm's email domain is properly authenticated - meaning whether it is configured to prevent fraudulent emails from appearing to come from your address. This covers SPF, DKIM and DMARC configuration.

A DMARC record set to "none" means your firm's email domain can currently be impersonated. This creates a direct, specific risk of Business Email Compromise - a fraudulent payment instruction that appears to come from your managing director's address.

Assesses whether your firm could recover its critical systems and client data following a significant incident - and whether that recovery could happen within the timeframes that FCA operational resilience rules require for your Important Business Services.

The question most managing directors cannot answer clearly: when did your IT provider last perform a full tested restoration in your presence, with a documented result?

Assesses whether your firm has a documented, board-aware incident response plan and whether the people who would lead the response know what to do, in what order, when an incident occurs. This covers insurer notification obligations, FCA reporting, ICO 72-hour notification and client communication.

In most IFA firms: the IR plan either does not exist at board level, or lives in IT provider documentation that the MD has never read, or has never been tested.

Assesses how well your firm can demonstrate to the FCA that it has met its operational resilience obligations. This is the domain most directly linked to personal director accountability. It covers Important Business Services identification, impact tolerances, Consumer Duty board champion oversight and third-party dependency mapping.

Patrick Murphy's Consumer Duty expertise and firsthand IFA governance experience is directly embedded in this domain.

Assesses whether cyber risk is genuinely owned and documented at board level - not just delegated informally to an IT provider. This covers whether a specific director owns cyber risk, whether cyber is a standing item on board meeting agendas and whether governance documentation exists that evidences board-level oversight.

The most common finding: the managing director is personally accountable under FCA rules but has no documented record of having reviewed or discussed cyber risk at board level.

Assesses the governance posture of your firm's key third-party dependencies - your IT managed service provider, investment platforms (Transact, Nucleus, Parmenion, Quilter) and practice management software. FCA operational resilience rules require firms to understand and manage third-party risk. Most IFA firms have never formally requested security assurance documentation from their MSP.

DORA implications are also addressed where relevant - for firms with EU-based clients or ICT providers operating across EU jurisdictions.