Most of our work happens where the stakes โ and the regulators โ are highest. We bring sector-specific frameworks, vocabulary, and audit experience to every engagement. Below: the six industries we serve most often, and the regulatory expectations we operate against in each.
FCA & PRA regulated lenders โ including mutuals.
From the largest retail banks down to the smallest mutual building societies, we operate fluently across the spectrum of UK deposit-takers. Our work spans operational resilience under PRA SS1/21 and PS21/3, third-party risk management, ISMS implementation aligned to BCBS 239 expectations, CQUEST baseline assessments, and DORA preparation for groups with EU subsidiaries. We have direct experience of the supervisory dialogue with both the PRA and the FCA, and we know the standard of evidence both regulators expect.
FCA-authorised PIs, EMIs, and scaling fintechs.
From sandbox entry to general availability, we take fintechs through the cybersecurity and compliance lifecycle that scales with their authorisation status. Our work covers PCI DSS v4.0, PSD2/SCA technical standards, AML technology controls, SOC 2 Type II readiness for enterprise customers, Open Banking security, and the operational resilience expectations now embedded in FCA supervision of payment firms.
NHS DTAC, DSPT, and clinical SaaS.
Healthtech sits at the intersection of two of the strictest regulatory regimes โ clinical and data protection. We support digital health platforms, telemedicine providers, clinical decision support tools and femtech firms through NHS DTAC, the Data Security and Protection Toolkit (DSPT), UK GDPR alignment with full DPIAs, MHRA/MDR cyber annex requirements, and the new NIS2 Directive obligations for digital service providers.
Seed-stage to scale-up B2B technology.
We help B2B SaaS companies build security in alongside the product โ not bolt it on after a breach. Our SaaS engagements typically combine SOC 2 Type I/II readiness, ISO 27001 (with 27017 / 27018 cloud and privacy extensions), customer security questionnaire response (the dreaded 200-question vendor due diligence), SecDevOps integration into your CI/CD, and supplier-grade penetration testing. We work fluently with AWS, Azure and GCP architectures.
Central & local government suppliers.
Selling to government means clearing a specific stack of cybersecurity gates. Cyber Essentials Plus is the entry-level requirement; the NCSC Cyber Assessment Framework (CAF) sits above it for systems-of-interest; GovAssure is the structured assurance regime increasingly used by departments. We support suppliers through all three, plus the supplier assurance questionnaires for Crown Commercial frameworks (G-Cloud, DOS, NHS-shared frameworks).
Law, accounting, tax, advisory.
Professional services firms operate in a high-trust environment where data leaks end careers. Our work for legal, accounting, tax and advisory firms focuses on client confidentiality, email security (DMARC/DKIM/SPF), insider threat programmes, matter-management security, and the SRA / ICAEW expectations for the protection of client information. We are familiar with the operational realities of partnerships and have advised on the cyber elements of mergers and lateral hires.
Our methodology travels well. If your industry has a compliance regime, a regulator, or a customer demanding security assurance โ we can probably help. Tell us about your situation and we'll be honest about whether we're the right fit.
