How St James’s Place Used Cyber Essentials to Dramatically Reduce Supply Chain Risks

“A CE+ compliant Partnership network has made a massive difference to our risk profile and our operational risk, and has provided a great baseline in which to further advance and demonstrate our control approach to cyber threats.” (St James’s Place)

A significant player in the UK wealth management market, St James’s Place (SJP), mandated that its partnership network all needed to be Cyber Essentials Plus certified. In its partnership network there are over 2,800 independent businesses, making this decision an ambitious undertaking.

Supply chains pose a significant cyber risk to all organisations due to their interconnected nature and reliance on third-party vendors, creating numerous entry points for attackers to exploit vulnerabilities and compromise sensitive data or systems. However, with SJP, a further risk was reputational damage as its partners carry the SJP branding. Divisional Director of Cyber Security, Matthew Smith, added “Our main challenge is validating that the consistency of security controls and capabilities across each business within that network are robust enough to protect client and corporate data”. By making this move, all clients can trust and have confidence that they are working with a business that takes cyber security seriously.

In previous blogs we’ve discussed why organisations opt for Cyber Essentials Plus over Cyber Essentials, with some of these reasons including increased credibility, peace of mind and a competitive advantage. SJP followed suit and opted for the Plus version. According to them, it gave them the capacity to independently evaluate each business, through the Cyber Essentials certification bodies, providing a uniform standard. This allowed them to confidently ensure that all businesses are meeting or surpassing the standard across the five fundamental Cyber Essentials control areas.

In six months, they were able get over 1,600 businesses through the accreditation process which was a fantastic achievement.

“Achieving Cyber Essentials Plus compliance across their partnership network has helped St James’s Place reduce cyber security incidents by approximately 80%.” 

This fantastic statistics from the NCSC 2024 Annual Review, emphasises in itself the impact this decision made by SJP had on its whole supply chain, showing how it was worth the investment for both SJP and the businesses.

Mandating Cyber Essentials – Is it Right for Your Organisation?

Whilst the Cyber Essentials scheme has been around since 2014, there has been a huge uptick in the number of organisations looking to achieve certification. According to the NCSC, both Cyber Essentials and Cyber Essentials Plus last year saw a 20% increase in certificates being awarded. There are many reasons for this, such as how organisations, now more than ever, are taking cyber security seriously or how businesses are seeing more opportunities open to them if certified. In particular, new customers, clients and suppliers are openly looking for the Cyber Essentials stamp of approval.

To bid for government tenders, you must have at least Cyber Essentials and to be eligible for certain funding you must again be certified. Another recent example is how a joint statement by the Government and 6 major UK banks stated that these financial institutions will “expand the role that Cyber Essentials plays in their supply chain risk management processes”.

There are a lot of considerations when discussing if an organisation should mandate Cyber Essentials within their supply chain, it would take thorough planning, time commitments and the realisation that some businesses may not take cyber security as seriously as you do. Thankfully, as seen in the above examples, the UK Government are making huge strides in improving the UK economy’s cyber resilience and are helping organisations looking to implement this mandate through the process.

If mandating Cyber Essentials across your supply chain just isn’t feasible for you at this time, there are still steps you can take to reduce supply chain risks. Having the certification in place yourself already dramatically reduces cyber risks. In fact, certified organisations are 92% less likely to make a claim on cyber insurance compared to organisations without the certification. Further work to mature your cyber security processes can be planned out as these changes take time, even just considering whether mandating your supply chain is already a step in the right direction.

Currently, only 48% of large businesses are formally reviewing the cyber risks of their immediate supply chain, with the rate for smaller companies being even lower. If this is something you aren’t already doing, this is the next step. Already reviewing your supply chain risk for immediate suppliers? Then, your next step to mature your processes is to look at your wider supply chain. According to the Government’s report last year, only 23% of large businesses are formally reviewing their wider supply chain.

To conclude, another interesting statistic from the 2024 Cyber Essentials Impact Evaluation, “Cyber Essentials users (61%) say they are more likely to choose suppliers that are Cyber Essentials certified than those without certification, while three quarters (75%) say they have greater confidence working with certified suppliers.”

This highlights how SJP’s decision to mandate Cyber Essentials Plus has significantly reduced supply chain risks, ensuring consistent security standards across its entire network. By strengthening cyber resilience at every level, SJP has mitigated vulnerabilities that could have been exploited through third-party relationships, setting a strong example for organisations looking to secure their own supply chains.

Data Connect: Helping you get Certified

As a Cyber Advisor and Cyber Essentials Certification Body, Data Connect is able to help you with your own certification journey, plus discussions around mitigating cyber risks. Get in touch today to speak to an expert.

Want to learn more? Check out our in-depth exploration of the role Cyber Advisors, Assured Service Providers & Certification Bodies play in the Cyber Essentials scheme.