How AMVIA Eliminated a London IFA's Cyber Risk — and Helped Them Pass an FCA Review

The Challenge

Meridian Wealth Partners (name changed for confidentiality) is a 45-person IFA firm based in the City of London with satellite offices in Surrey and Kent. In late 2024, the FCA notified them of an upcoming operational resilience thematic review — a deep-dive examination of their IT controls, business continuity plans, and cyber security posture.

84.2% of phishing attacks passed DMARC authentication in 2024 — meaning the most common email authentication standard provides limited protection against sophisticated attacks (Egress Phishing Threat Trends Report). (Microsoft)

Legacy authentication left enabled "just for that one app" — despite being the vector for 99%+ of password spray attacks (Thehackernews)

Legacy authentication protocols (IMAP, POP3, SMTP, Exchange ActiveSync, MAPI) do not support MFA and remain a frequent attack vector — Microsoft data shows: (Microsoft)

AMVIA's initial assessment uncovered several critical gaps: Microsoft 365 was deployed without Conditional Access policies or MFA enforcement; client data was stored in shared network drives with no access controls; backups had not been tested in 18 months; and the firm had no documented incident response plan or FCA notification procedure.

The Approach

AMVIA structured the engagement into three 30-day phases, each building on the last. Phase 1 focused on the most critical security gaps: MFA deployment, Conditional Access policies, email security, and backup verification. Phase 2 addressed governance: incident response playbooks, FCA reporting procedures, and staff security awareness training. Phase 3 delivered Cyber Essentials Plus certification, penetration testing, and preparation of board-level resilience evidence for the FCA review.

The Technology Deployed

The core security stack delivered included Microsoft 365 Business Premium licences with full Defender for Business deployment; Conditional Access policies with 14 rules covering risk-based sign-in, compliant device enforcement, and legacy authentication blocking; Microsoft Intune for device management across laptops and mobile devices; Veeam-backed immutable cloud backups with tested RTO of 4 hours; and Huntress EDR for managed detection and response.

The Outcome

Meridian passed their FCA operational resilience review with no findings requiring remediation. The review examiner specifically noted the quality of their incident response documentation and the completeness of their IT asset register. Since the engagement, AMVIA has continued as Meridian's managed IT and security provider — handling all IT operations, monthly security reporting to the board, and ongoing Cyber Essentials Plus renewal.