IT Risk & Compliance – What We All Need to Know
A clear theme emerging within Prowess, mirroring trends across the financial services industry and an increase in interest from our clients, is the growing emphasis on IT risk management, control enhancement and cybersecurity. This reflects heightened global and local concern about digital risk, cyber-threats and the sector’s rising dependence on complex technology platforms.
Regulators have responded accordingly. Over the past two years, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority have issued two Joint Standards that now form the backbone of IT and cyber-risk expectations:
Joint Standard 1 of 2023 – IT Governance and Risk Management
Effective November 2024
This standard establishes extensive organisational, governance and assurance requirements. It defines the minimum controls needed across areas such as access rights, data protection, performance and capacity planning, change management, staff and contractor oversight, system documentation, training, and more.
Joint Standard 2 of 2024 – Cybersecurity and Cyber Resilience
Effective June 2025
This standard focuses on the technical and operational controls necessary to secure and protect digital environments. These include user authentication, endpoint security, patch management, penetration and vulnerability assessments, scenario planning, data-loss-prevention measures, and network perimeter security.
Key Themes Emerging Across Both Standards
Despite covering different domains, the two standards are aligned and collectively introduce several overarching expectations that Asset Managers must respond to:
- IT Risk is now a core governance priority
Cyber and IT risks are recognised as enterprise-wide risks requiring the same level of Board-level oversight as financial, credit, or market risk. The ability to prevent, withstand and recover from incidents is now a strategic responsibility not merely a technical one.
- A comprehensive, integrated Risk Management Framework is essential
Organisations must implement a framework aligned with their IT, cybersecurity and broader business strategies. This includes policies, control objectives, technical standards, key risk indicators (KRIs), risk inventories, and structured reporting all continuously monitored.
- Testing is fundamental, preparation is everything
Penetration testing, vulnerability assessments, scenario-based continuity testing, and evidencing of control execution are essential. Controls must operate effectively and be demonstrable for independent assurance.
- Culture is the decisive factor
Compliance cannot be achieved from an ivory tower. Staff behaviour remains the first line of defence, and an organisation’s security posture will always correlate to the strength of its weakest link. Awareness, training and embedded responsibility are fundamental.
Our Position at Prowess
Like many in our industry, Prowess has invested significant time, analysis and ongoing effort to meet these regulatory expectations. We recognise, however, that this shift is both necessary and timely. As the digital landscape continues to evolve, and as threats grow in frequency and sophistication, stronger controls, robust governance and a vigilant culture are essential.
Ultimately, this isn’t just about regulatory compliance. It’s about safeguarding the trust our clients place in us and ensuring that we continue to meet our responsibilities as stewards of their assets in an increasingly interconnected and high-risk world.
How Clients Can Ensure Managers Meet the New IT & Cyber Standard
Clients can ensure their managers meet the requirements of both Joint Standards by requesting clear, documented evidence of IT and cybersecurity controls, incorporating these obligations into due-diligence processes, and looking to ensure there is assurance of control effectiveness. Ultimately, clients should look for strong governance, a mature security culture and demonstrable incident-readiness to confirm that managers are meeting both regulatory and operational expectations.