In the ever-evolving landscape of cyber threats, small and medium-sized investment management firms in the UK are under increasing pressure to bolster their cyber security measures. However, as the frequency and sophistication of cyberattacks rise, so do the associated costs.
This prompts a critical question for senior management:
Are we investing wisely in cyber security, or are we overspending without commensurate returns?
Cyber security budgets have seen a significant uptick in recent years. According to a 2025 survey by Infosecurity Europe, organisations anticipate an average growth rate of 31% in their cyber security budgets over the next 12 months, with 20% expecting increases exceeding 50%.
For UK Investment Management firms, a spend increase from 0.3% to 0.5% of revenue for the five years that preceded 2024, according to Deloitte. That’s a 60% increase in cyber security spend in the same period. This surge is driven by the escalating threat landscape, regulatory pressures, and the need to protect sensitive financial data.
However, are these firms paying too much for the value they receive?
As high-profile cyber security incidents escalate, investing in cyber security solutions has become essential for firms committed to digital resilience. However, with a plethora of options available, growing investment management firms face the emerging risk of acquiring cyber security solutions that, relative to their specific risk profile, may be either excessive or insufficient, potentially introducing additional vulnerabilities.
While increased spending on cyber security is essential, it’s equally important to evaluate the return on investment (ROI). A 2023 report by S-RM found that only 49% of firms perceived their cyber security technology investments as providing high value for money, a decline from previous years. This indicates a growing awareness that merely increasing expenditure doesn’t necessarily translate to enhanced security.
For senior management, it’s crucial to assess whether current investments are effectively mitigating risks. This involves scrutinising the efficacy of existing tools, the adequacy of staff training, and the alignment of cyber security strategies with the firm’s specific risk profile.
To ensure that cyber security investments are both effective and efficient, consider implementing a robust cyber security Governance, Risk, and Compliance (GRC) framework – tailored to your business.
Cyber security GRC is an integrated approach that enables firms to manage their cyber security posture in a structured and efficient manner. GRC frameworks help organisations align their cyber security strategies with business objectives, ensure compliance with regulatory requirements, and manage risks effectively.
For investment management firms, implementing a cyber security GRC framework can offer several benefits:
Implementing a robust cyber security GRC framework can help small and medium-sized firms optimise cost. A robust cyber security GRC framework incorporates the following strategies at its core:
Rather than adopting a one-size-fits-all strategy, tailor cyber security investments to the firm’s specific risk profile. This involves identifying critical assets, assessing potential threats, and allocating resources accordingly. Implementing a comprehensive but tailored risk management process can maintain—and often improve—an organisation’s risk profile without increasing costs.
Simple measures can significantly reduce vulnerabilities. Organisations that implement the most basic of cyber security controls are able to protect themselves from up to 80% of the common cyberattacks.
Utilising multiple cyber security tools can lead to complexity and inefficiencies. Research indicates that enterprises with too many cyber security tools are less adept at detecting and responding to attacks compared to those with fewer solutions. Consolidating tools can streamline operations and reduce costs.
Human error remains a significant factor in security breaches. Investing in regular training ensures that employees are aware of potential threats and know how to respond appropriately. According to a report by Vodafone Business, 52% of UK SME employees have received no cyber security training, highlighting a critical area for improvement.
Hiring a full-time Chief Information Security Officer (CISO) can be costly for SMEs. Engaging a vCISO allows firms to access expert guidance on a flexible basis, aligning with their budgetary constraints.
Bonus Tip: Leveraging Government Incentives
Recognising the challenges faced by SMEs, the UK government has introduced initiatives to alleviate the financial burden of cyber security investments. One such measure is the proposed “super-deduction” tax incentive, which aims to offer a 25p tax break for every £1 spent on cyber security by firms employing fewer than 500 staff. This incentive encourages businesses to invest in robust cyber security measures without straining their financial resources.
For senior management at small and medium-sized investment management firms, the question is not merely about how much to spend on cyber security, but how to spend it wisely.
By implementing a GRC framework, firms can enhance their cyber security posture, achieve regulatory compliance, and realise cost savings. In the digital age, a balanced and strategic approach to cyber security is not just a necessity—it’s a competitive advantage.
As asset management firms scale operations, expand AUM, and attract increasingly sophisticated investors, they also become more exposed to a rapidly evolving cyber threat landscape.
Practically every aspect of business depends on IT. However, this growing dependence has often happened without fully considering the new and evolving risks we now face.
Cybercriminals are becoming increasingly sophisticated, leveraging advanced tactics to breach corporate networks. As a result, traditional perimeter-based security models are no longer sufficient.
How can we help?
Please get in touch using the form below.
