St. James’s Place (SJP) is a financial services company, specialising in face to face advice and life products such as pensions and other long term investments. Founded in 1991, SJP employs around 3,000 people in the UK, supporting a Partnership network of over 2,800 independent businesses that provide expert financial advice to nearly a million clients. SJP is one the UK’s largest pensions and life companies with over £170 billion of client funds under management.
Ever mindful of the evolving cyber threat to the financial services sector, SJP felt they needed a way to address concerns about the consistency of protection across the 2,800 businesses that make up their Partnership network. Tackling the issue head on, SJP has become the first organisation of its kind to extend its cyber security oversight of third-party suppliers to include its Partnership network of over 2,800 businesses.
SJP Divisional Director of Cyber Security, Matthew Smith talks to us about the process of asking their immense internal supply chain to certify to Cyber Essentials Plus and the impact of that decision.
Is cyber security a growing concern for your partners?
The constantly changing landscape of cyber threats poses a significant challenge to all UK businesses. This is especially true for financial service organisations like ours, which store sensitive information that is highly sought-after by various malicious entities, from fraudsters and criminals to advanced cyber threat actors.
The SJP Partnership recognises the trust placed in us by our clients and the expectation of all stakeholders -be it shareholders, regulators, or clients- that we have the appropriate robust controls to protect our data and business.
Tell us about your partnership model
The SJP business is split between the corporate services that we provide centrally and the SJP Partnership, who manage and establish the relationships with our clients. The Partnership provide face-to-face financial advice and planning through our network of qualified advisors. This includes everything from tax and trust planning through to traditional investment services of ISA and pension products.
SJP Corporate is responsible for the financial products our Partnership network offer to clients. We also provide all the centralised services to support SJP business and client management, such as IT systems and business submission.
Cyber security is an integral part of our obligation to protect the information systems, ensure compliance with relevant regulations and apply the latest guidance and industry frameworks to maintain the confidentiality, integrity and availability of our business systems.
Over the years, our responsibility has evolved from maintaining cyber security oversight of our third-parties to including the support of our Partner network in securing their businesses.
What are the main security challenges in your internal supply chain?
The Partnership includes over 2,800 individual businesses carrying the SJP brand and is our first line of defence for security and the face of the business with our clients. Our main challenge is validating that the consistency of security controls and capabilities across each business within that network are robust enough to protect client and corporate data.
How did you hear about the Cyber Essentials scheme?
In 2016 we were looking for a standard to assess our corporate environment that had external recognition and independence. We identified Cyber Essentials as the only government backed standard with a good base line across the essential controls that would support our objectives.
While there are other standards available in the UK, Cyber Essentials appealed in its consistency, simplicity and focus. The core controls and the ‘cyber hygiene factor’ of Cyber Essentials ensures the basics are done and done well. Our own experience and wider knowledge of the threat landscape has helped us identify that it is usually a failing in doing the basics right that results in security incidents.
The Cyber Essentials scheme was created by the National Cyber Security Centre (NCSC) which suggests that it is based on reliable insight about the Threat landscape for the UK and therefore a sensible and good fit for SJP. From 2016 we began to certify the central part of our business against the standard at the higher benchmark of Cyber Essentials Plus.
Why did you decide to go with Cyber Essentials?
From our own experience we knew that Cyber Essentials could be applied to any size of business. This was a perfect fit for our business model, which includes companies from small 1-2 person operations through to 300+ staffed businesses.
The Plus element of the standard was the key element in our selection and use in our Partnership. Through the network of Certification Bodies in the UK, we gained the scale necessary to be able to independently audit every business to the same standard. This meant we can gain a high level of assurance that across the five baseline control areas, all businesses are meeting or exceeding this standard.
The relative cost of Cyber Essentials compared to other industry certifications was also a contributing factor.
What led you to addressing cyber security in your internal supply chain?
Connected with the growing cyber threat in the UK and an increased awareness at board level, we knew that our risk exposure and cyber incidents would only increase as our Partnership network grew.
Our concern was consistency and visibility of the individual businesses in their approach to cyber security, together with the Partnership’s collective responsibility in maintaining the brand and reputation of SJP.
While there are other options to gain oversight or achieve consistency such as mandating certain controls, we wanted to enable flexibility and independence. There are many ways to achieve good cyber security and one product/solution or approach is not necessarily right for all businesses.
By requiring Cyber Essentials Plus compliance, we can achieve consistency, but also independent verification that the controls are effective through onsite auditing. This means that we know that every CE+ certified business had correctly implemented the five baseline controls.
A CE+ compliant Partnership network has made a massive difference to our risk profile and our operational risk, and has provided a great baseline in which to further advance and demonstrate our control approach to cyber threats.
How did you make the case to your board that requiring your Partners to become CE+ certified was necessary?
The business case was relatively simple, but only because of the journey we had been on to establish an informed executive board on cyber and information security risk. Only through building the internal culture on cyber risk were we able to move forward with more proactive measures such as this programme of work.
Executive support was absolutely critical in the success of the programme, and a great example of where information security risk requires business ownership and leadership in order to drive success. With direct CEO engagement and visible support, together with leadership involvement across the business, we were able to drive the programme successfully and in a short timeframe.
How helpful did you find the Certification Bodies you worked with? How did you choose them?
We started by reaching out to IASME, explaining the size and scale of our Partnership and our plan to drive CE+ adoption across our businesses. This lead to engagement with Central Government (DSIT) who were interested in partnering with SJP on our journey to deliver and also to take the lessons learned forward to advance the scheme’s uptake in the UK.
As the first private sector organisation to adopt CE+ at this scale, this central support was helpful. We were keen to ensure it was going to be a workable approach and solution for our partnership.
The Certification Bodies were a key part of our strategy and roll out, as without them, we could not make the accreditation scalable. Throughout the programme, their input has been invaluable, both in providing direct feedback about commonalities in assessments, and with advice on what we can do centrally to make the process easier for our Partnership.
The benefit of the network is we are not restricted to a handful of businesses, instead, any of the 300+ Certification Bodies in the UK can be used to achieve CE+.
Any issues you had along the way?
As with any programme of this size and sale, there were a number of challenges. These were primarily concerned with driving action and movement through certification process, and not leaving things to the compliance deadline, but also in understanding the why.
We went on a hearts and minds exercise with our Partnership businesses, taking cyber security on the road to attend regional events, run multiple webinars and deliver online and in person training. We discussed the risks and cyber threat to UK businesses and also listened to and shared the internal stories of how it can happen to SJP Partner businesses.
This approach was key for us and the programme benefited greatly from having Partner businesses understand the risk and walk towards accreditation, rather than having it imposed on them. By spending this time and having open dialogue about the risks, we were able to drive over 1600 businesses through the accreditation process in 6 months.
What have the benefits been to your network in achieving Cyber Essentials Plus?
The benefits to our operational resilience have been significant. We are jointly responsible for the brand and reputation of SJP and by ensuring all practices are measured against the same core security principles, we have established a ‘high watermark’ across the business.
For us, it is critical the Plus component of the certification is emphasised; it is a signicantly higher bar and gives us the confidence that each and every business has been independently assessed and audited by accredited security experts. This far exceeds the assurance we would have obtained from Cyber Essentials on its own and provides evidence to clients, regulators and other stakeholders of the controls we have across the businesses.
Security incident numbers have signicantly reduced within the Partnership since 2023, evidencing the value and effectiveness of having the core controls in place. To put into numbers, we have seen around 80% reduction in cyber security incidents, which directly correlates to controls and best practice implemented through CE+.
Would you consider requiring your external supply chain to have Cyber Essentials certification?
We have always required our external supply chain to hold recognised industry certifications, such as ISO27001, Cyber Essentials, SOC2, where relevant and appropriate to the risk. Since our rollout to the Partnership, we have further expanded our supplier and third-party management processes, introducing further cyber requirements together with steering ‘lower risk’ suppliers that do not hold accreditations towards Cyber Essentials.
We recognise the position we have within the supply chain in the UK, and the positive impact that we have experienced with Cyber Essentials. There is huge value in the simplicity of the NCSC’s Cyber Essentials scheme that covers the key controls that all businesses should have to protect against the majority of today’s cyber threats and can be applied to businesses of all sizes.
What has been the biggest challenge and how did you overcome it?
Other than establishing the mandate and executive support to deliver such as programme, it was bringing the SJP Partnership on the journey with us. From day one, we did not want this to feel like a mandatory compliance activity without the context as to why we are asking the businesses to undertake it.
It is no small cost to go through CE+ and we wanted the Partnership to really understand why it was so critical to all of us to achieve it. Together we are increasing the operational resilience of the Partnership and protecting the brand and reputation of the business.
It was a difficult journey at the beginning and we brought in a communications lead to help us better design our messaging and awareness. Gradually we took away the ‘it will never happen to me’ response, and talked about real cases and about the size, cost and disruption that cyber-attacks can cause for a business.
Bringing the message home was key, and throughout our rollout of the standard, we travelled up and down the country to our regional hubs delivered in-person briefings, online webinars and launched an entire micro-site dedicated to what we were doing and why.
What advice would you give to other network organisations like yours?
Our advice would be to consider business processes end to end and the third-parties and external relationships that carry the brand and reputation of your business, which is often broader than those at your highest tier of governance and oversight.
There is a great deal of benefit in achieving a minimum standard/baseline across your external suppliers that can only be improved upon. For cyber security, its often not about being the fastest or best horse in the race, but not being the slowest either. By achieving CE across the organisation, you are pushing your businesses ahead of many others and making your business more defensible, and resilient to today’s threats.
Cyber Essentials is an annually renewable certification scheme that consists of five controls that, if implemented correctly, will significantly reduce the impact of common cyber attacks from the internet.
Cyber Essentials Plusis based on the same technical requirements as Cyber Essentials but also includes a technical audit of your IT systems to verify that the controls are in place. In this way, it gives more assurance that you are complying with the scheme.
The National Cyber Security Centre (NCSC) is the UK’s technical authority for cyber security. Its mission is to make the UK the safest place to live and work online. IASME delivers the Cyber Essentials scheme on behalf of the NCSC.