Here are twelve due diligence questions FCA-regulated firms should ask any managed security provider, plus the red flags that should make you walk away from the deal.
Choosing a managed security provider when you're FCA-regulated comes down to one question: can they evidence what they claim, and does that evidence hold up when your auditor or the regulator starts pulling threads? Below are the twelve questions I'd put to any provider before signing anything, with the red flags that should make you pause. I'll be honest, I run a managed security service myself, so I know exactly which of these make a provider shift in their seat. If they can't answer with specifics, that is your answer.
Use it as a scorecard. Send it ahead of the meeting if you want to be kind, or save it for the room if you'd rather watch them think on their feet.
A good provider names the specific obligations you carry, not the buzzword. They should talk about operational resilience under PS21/3, Consumer Duty, and how their service feeds your accountability under SM&CR (the Senior Managers and Certification Regime, which means a named person at your firm is personally on the hook for this). The provider supports that person. They don't replace them.
Ask for: examples of FCA-regulated clients, the FCA publications that actually shape how they deliver, and how they help you stand behind your regulatory attestations.
Red flag: they keep saying "compliance support" but can't name a single policy statement or tell you what an important business service is.
An impact tolerance is the maximum disruption to an important business service you can take before it causes intolerable harm to clients or markets. The operational resilience transition period ended on 31 March 2025, so you're now expected to operate within those tolerances and evidence it day to day. Your provider's monitoring, detection and recovery should map straight onto that, not sit alongside it.
Ask for: how their incident response keeps you inside tolerance, their notification and escalation timings, and how they fit into your recovery plans rather than running their own in parallel.
Red flag: they treat an incident as a purely technical event and can't connect it to business impact. If the first thing they reach for is a CVE number rather than "which of your services is at risk", that tells you plenty.
You own the risk of anything you outsource. Full stop. The FCA's critical third parties regime (final rules from 1 January 2025, under the Financial Services and Markets Act 2023) and the new operational incident and third-party reporting rules confirmed in PS26/2 (in force 18 March 2027) have made supply-chain risk a board-level concern. In 2025, over 40% of cyber incidents reported to the FCA involved a third party, so the regulator is very much looking down the chain.
Ask for: a SOC 2 Type II report (an independent audit of their controls over a period of time, not a single snapshot), ISO 27001 certification, and Cyber Essentials Plus. Then push on audit and inspection rights in the contract, plus how they handle concentration risk and exit planning.
Red flag: they bristle at giving you audit rights, or hand you a one-page "we take security seriously" PDF instead of an actual report.
You need a clear answer on data residency under UK GDPR before you sign, and you need it in writing. This bites hardest when a provider runs a global SOC (security operations centre) that might route your logs and alerts through other jurisdictions without anyone flagging it.
Ask for: a data flow diagram, the processing locations, the transfer mechanism for anything that leaves the UK, and a contractual commitment on residency.
Red flag: vagueness about where data sits, or "it's in the cloud" offered up as if that answers the question.
Ask for actual metrics, not capability slides. Mean time to detect (MTTD) and mean time to respond (MTTR) are the ones that matter, and they should map to your impact tolerances rather than to a generic SLA template. A provider who's done this in anger will have the numbers ready.
Ask for: case studies from similar firms, their threat intelligence sources, how they tune detection for a financial services environment, and how they keep false positives down so your team isn't drowning in noise.
Red flag: reluctance to share performance numbers, or an SLA that promises to "acknowledge" an alert within an hour but commits to nothing about actually dealing with it.
Your logging and reporting has to produce the evidence you'll hand to an auditor or the FCA, not just dashboards that look good on a screen. With the single incident-reporting portal arriving under PS26/2, your provider needs to help you spot quickly when something has crossed a reporting threshold, because that clock is unforgiving.
Ask for: how they categorise and escalate material incidents, whether they've supported clients through an FCA examination, and exactly what documentation they produce for audit.
Red flag: reporting is clearly an afterthought, bolted on rather than built in.
Technical controls with no business translation won't satisfy senior management oversight. The provider should turn events and metrics into something a board can actually make a decision on. This matters most for smaller firms where the internal team is thin and the directors are relying on the provider to tell them where they stand.
Ask for: their executive reporting, the handful of metrics they'd put in front of a board, and risk scoring that's tied to business impact rather than raw alert counts.
Red flag: every report is a wall of technical detail that no executive will ever read past the first page.
New products, an acquisition, a new market: all of it moves your risk profile, and your provider needs to flex with it without forcing you to re-paper the entire contract every time. Firms grow into their security maturity, and the service should grow with them.
Ask for: examples of how they've grown services for existing clients, how often they reassess risk, and a pricing model that's transparent enough that maturing doesn't feel like a penalty.
Red flag: rigid tiers and pricing that turn every change into a painful renegotiation.
You're buying an operational relationship, not a product off a shelf, so the provider's own resilience and financial health is your concern too. If they go under or lose their key people, that is a material operational risk, and you're the one accountable for it.
Ask for: their business continuity and disaster recovery arrangements, their financial position, staff retention and key-person cover, and an honest account of how they've handled their own incidents.
Red flag: they'll happily audit your environment all day but go quiet the moment you ask about theirs.
Generic monitoring misses the attacks aimed squarely at your sector: business email compromise targeting a payment run, fraud patterns, social engineering dressed up as regulatory pressure. A provider worth hiring knows what's hunting financial firms specifically.
Ask for: membership of financial-sector information sharing communities (FS-ISAC and the like), named threat actors and campaigns relevant to the sector, and how that intelligence actually feeds their detection rules rather than sitting in a quarterly slide.
Red flag: every client gets the same detection rules regardless of what they do.
The service is only ever as good as the analysts behind it. Tooling matters, but a tool with a logo on it isn't a SOC. You want assurance that experienced people, who understand your environment, are the ones making the call when something fires at 3am.
Ask for: analyst certifications, the analyst-to-client ratio, and how they handle burnout and retention, because high churn quietly erodes detection quality.
Red flag: high turnover, dodging questions about qualifications, or a service model that's automation with a thin human veneer.
A good provider builds your capability over time instead of quietly locking you in. They should be honest with you about what's worth keeping in-house and what genuinely makes sense to outsource, even when that conversation costs them a bit of scope.
Ask for: their approach to knowledge transfer, how they define success beyond an incident count, and how the service connects to the things you actually care about, like adopting cloud confidently or getting a product out faster.
Red flag: resistance to building your own team's capability, or an account manager whose only real measure of success is the renewal.
Run a provider through all twelve and pay attention to where they get specific and where they get slippery. The specifics are where the truth is. Vague reassurance is the tell.
And yes, I run a managed security service, so I'm one of the people you'd point these questions at. Use them on me too. If a provider, me included, can't give you straight answers backed by evidence, you've learned something useful before signing anything. If you want a second pair of eyes on a provider you're already evaluating, give me a shout, always happy to grab a coffee.
At minimum, look for SOC 2 Type II, ISO 27001, and Cyber Essentials Plus. SOC 2 Type II is the most telling because it audits their controls over a period of months rather than on a single day, so it's harder to stage. None of these prove the service is good on their own, but their absence tells you the provider hasn't done the basics on itself.
They do different jobs. ISO 27001 certifies that an information security management system exists and is being run. SOC 2 Type II reports on whether specific controls actually operated effectively over a defined period. For due diligence I'd want both, but if I could only see one, SOC 2 Type II usually shows more about how the provider really behaves day to day.
Yes. Outsourcing the operational work doesn't outsource the accountability. Under SM&CR a named person at your firm remains responsible, and the FCA expects senior management oversight of outsourced arrangements. A good provider reduces the headcount you need and sharpens the people you keep, but it never gets you to zero.
The critical third parties regime (final rules from 1 January 2025) lets regulators designate third parties whose failure could threaten financial stability and place obligations directly on them. For most firms your security provider won't be designated, but the direction of travel is clear: the FCA wants to see through your supply chain. Pick a provider who can give you the evidence and reporting you'll need as those expectations tighten, especially with the new incident and third-party reporting rules landing on 18 March 2027.
An MSP (managed service provider) runs your IT. An MSSP (managed security service provider) runs your security monitoring, detection and response. Some firms do both, which can be convenient, but check they're not marking their own homework: the team watching for problems shouldn't be the same team whose work created them.