MSP verbal assurance
Security is described as handled, but you cannot produce the control evidence, exceptions, and dates.
Regulated Financial SMEs
IT & Cyber Defensibility · For IFAs, wealth managers, DFMs, and advice firms · UK
Your compliance is in order. Your MSP says you're protected. Your FCA declarations are signed. Audit-Ready Without the Panic? Not yet.
The exposure facing FCA-regulated advice firms is not simply non-compliance. It is non-provability, with named senior managers attached to the outcome.
This is an IT and cyber problem wearing a compliance costume. Not HR policy, not TCF file reviews, not COBS suitability - IT and cyber evidence.
Fixed price · Results in 5 working days · Board-ready output included
Regulated Financial SMEs
Does any of this sound familiar?
Advice firms often have policies, consultants, and MSPs. The problem is producing current, technical, decision-grade proof within 24 hours.
FCA declarations vs operational reality
The paperwork says one thing. The tenant, devices, backups, and access model may say another.
SMF 16/27 personal liability
The named manager needs evidence of reasonable steps, not a comforting supplier email.
Client DDQ archaeology
Every due-diligence questionnaire becomes a hunt through old answers, screenshots, and assumptions.
Sale process technical diligence
Buyers can turn weak IT evidence into valuation pressure, escrow, or re-trading.
The compliance consultant gap
Conduct and file reviews do not prove MFA, backups, endpoint control, or third-party IT oversight.
The villain
The gap between what you've declared and what you can prove - with your name on it
Under SM&CR, cyber and IT governance is not just an operational detail. It is part of how reasonable steps are evidenced.
The gap sits between your declarations, your MSP contract, your Microsoft 365 tenant, your backup platform, and the actual evidence you can produce.
When the FCA, an insurer, a client, or a buyer asks, a verbal assurance is not enough. The Duty of Responsibility asks what the named senior manager knew, did, documented, and reviewed.
Axulu's scope: IT & cyber evidence · MSP contract gaps · Microsoft 365/endpoint · SM&CR IT evidence · Client DDQs · Board-level IT governance · NOT: HR · TCF · COBS suitability
Personal liability is an evidence problem.
SM&CR means the FCA pursues the named Senior Manager unless they can produce documented evidence of reasonable steps. A verbal assurance from your MSP is not evidence.
Five threats
The pressure is already moving.
Cyber insurers evidence-check at claim time
A renewal answer can become the test your claim fails later.
FCA Consumer Duty needs continuous outcomes evidence
Good intent is not the same as a repeatable record of operational control.
SM&CR Duty of Responsibility makes IT governance personal
Senior managers need evidence that oversight happened, not just that suppliers existed.
Operational resilience PS21/3 is fully enforceable
Important business services now require demonstrable impact tolerance and resilience thinking.
PE and M&A buyers use technical diligence to write down valuations
Weak evidence becomes a pricing lever at the worst possible moment.
337%Increase in FCA penalties 2024/25
1 in 4Cyber claims denied
5x+Revenue multiple at stake
Failed alternatives
Useful people. Wrong ownership model.
They operate systems. They do not usually maintain your SM&CR evidence position or buyer-ready proof pack.
They handle FCA process and conduct expectations. They rarely validate the technical control evidence.
They help place cover. They do not prove the answers would survive a claim.
Useful, but far narrower than insurer, FCA, buyer, and client-DDQ scrutiny.
RACI ownership
Who actually owns the evidence?
| Evidence obligation | You now | Your MSP | Axulu |
|---|---|---|---|
| Cyber insurance control evidence | Chased | Partial | Mapped |
| SM&CR IT evidence log | Thin | Not owned | Built |
| Client DDQ evidence pack | Reactive | Inputs | Ready |
| MFA and access governance | Assumed | Reports | Verified |
| Backup restore proof | Unknown | Operates | Tested |
| Operational resilience IT evidence | Fragmented | Technical | Board-ready |
| MSP contract gap review | Unclear | Conflicted | Owned |
| Board risk record | Ad hoc | Not scoped | Maintained |
| Sale diligence data room | Last-minute | Support | Packaged |
Dream outcome
The 24-Hour Proof-Ready Firm
- An FCA supervisor can ask and your evidence pack is already coherent.
- A board meeting sees cyber risk in decision language, not tool screenshots.
- A client DDQ can be answered from a maintained evidence base.
- A cyber claim is supported by logs, owners, dates, and control proof.
- A sale process does not expose undocumented IT assumptions.
- The named Senior Manager can show reasonable steps without panic.
Matthew - Principal & Founder
Built from the other side of the desk.
I spent nine years running an IT firm that served regulated businesses. I know what an MSP contract says, what it excludes, and where the evidence gap lands. It lands on the senior manager. Every time.
Objections
The usual reasons to wait are exactly why the gap persists.
1Our MSP handles it
They may handle the tools. You still need governance evidence that shows what was reviewed, accepted, remediated, and owned.
2Our compliance consultant handles FCA
They are important, but most do not validate Microsoft 365, endpoint, backup, MSP exclusions, and cyber insurance proof.
3We have never had a claim denied
That is a history, not a control. Evidence gaps are cheapest before the first claim or regulator request.
4We passed an FCA review
Good. The question is whether the next review, claim, buyer, or client DDQ asks a more technical question.
5SM&CR is about conduct, not IT
IT governance supports operational resilience, client protection, outsourcing oversight, and reasonable steps.
6We're too small
Smaller firms are often more exposed because supplier oversight and evidence ownership sit with fewer people.
7We're not planning to sell
You still face insurers, clients, boards, and regulators. Sale readiness is only one version of proof readiness.
Offer ladder
Start with the smallest useful proof package.
Evidence Gap Scan
A focused 5-working-day review of the IT and cyber evidence gaps that would hurt under insurer, FCA, client, or buyer scrutiny.
Book a meetingAdviser Firm Evidence Sprint™
A concentrated build-out of the evidence packs needed for DDQs, FCA readiness, board reporting, or sale diligence.
Book a meetingEvidence Engine Retainer
Ongoing maintenance of your IT and cyber proof base across MSP outputs, board records, DDQs, and insurance requirements.
Book a meetingGuarantees
Plain promises. No theatre.
Top-Five Panic Point Guarantee
You leave knowing the five evidence gaps most likely to hurt under scrutiny.
Evidence Map or We Keep Working
If the map is not usable, we continue until it is.
No Personal-Liability Fairy Dust Promise
We will not pretend a pack removes accountability. It improves proof of reasonable steps.
No-Fluff No-Filler Guarantee
No generic governance theatre. Only evidence, owners, gaps, and decisions.
Audit-ready without the panic.
Start with the smallest useful scan, then decide whether the wider evidence engine needs building.