Cybersecurity and customer vulnerability

Written By Andrew Gething

Cybersecurity has always been seen as a technical issue, but for financial services firms, it is now much broader than that. It has become a clear governance issue, particularly with Consumer Duty in full force and with the fresh emphasis it has placed on the responsibility of firms to avoid foreseeable harm and ensure good customer outcomes.

This is particularly important when considering vulnerable customers – a key component of Consumer Duty. Fraudsters are becoming increasingly sophisticated – using phishing techniques, impersonation scams and now AI-enabled deepfakes to exploit trust and manipulate individuals. Vulnerable customers can often be disproportionately affected. Someone dealing with a bereavement, financial stress, poor health or lower digital confidence and poor engagement capability may be more susceptible to manipulation and less likely to recognise the warning signs of fraud.

A clear challenge is that many firms have no idea who their vulnerable customers are. There is a distinct lack of robust data about vulnerable customers’ identities, the difficulties they face and the outcomes they receive. Before we worry about how we keep information safe, firms actually need to gather and store it first – as required under Consumer Duty. Robust data and analytics will allow firms to identify trends and patterns in behaviour that may indicate susceptibility. They will also be in a far better position to personalise journeys and work out how best they can minimise any potential harm and ensure a good outcome.

Governance is absolutely critical. In a intermediated market, customers’ data flows through increasingly complex distribution chains, often involving multiple platforms, providers and integrations. Firms also need to understand where information sits, who can access it, how it is protected and what happens if or when something goes wrong. Operational resilience requires visibility across the entire ecosystem, not just within a firm’s own boundaries. This becomes particularly pertinent given the increase in whistleblowing complaints relating to Consumer Duty. Increasingly, the industry is policing itself.

Recent joint guidance from the FCA and ICO has provided important clarity around customer vulnerability data. The statement confirmed that GDPR should not hinder the collection, recording, and storage of vulnerability information when it is needed to support good customer outcomes. Both organisations also actively encourage firms to share relevant information across the distribution chain. This should remove a concern that has existed for some firms around whether data protection rules prevent them from capturing and using information that could help customers.

Rather than being a barrier, data protection rules give firms the guardrails they need to record, store and share customer vulnerability information safely. It requires firms to have robust systems capable of storing sensitive information, with high-level, shareable indicators or scores and role-based access controls ensuring that only appropriate individuals can access data. Equally important is the ability to monitor and report on customer outcomes so firms can evidence their Consumer Duty obligations and demonstrate that vulnerable customers are receiving the support they need.

A lot of customer vulnerability data is classed as special category data under GDPR, hence why more sophisticated protection and governance is required. Alongside the ability to delete information at the customers’ request, GDPR calls for data to be accurate. This doesn’t just mean up to date, but objective rather than subjective. Advisers relying on open text boxes within CRMs will continue to fall foul of this.

Customers are placing more personal information into firms' hands than ever before. Protecting that information, while using it responsibly to deliver better outcomes, is becoming fundamental to long-term success. Equally, there is a call to understand our customers better – certainly those in vulnerable circumstances. As we continue to shift towards digital-first and digital-only models, there is a need to recognise the communication preferences for each individual and share this with manufacturers. While for many vulnerable customers, this will still be a digital route, for others the digital world is a massive source of vulnerability, stress and isolation.

This appeared in the June 2026 issue of The Intermediary

Andrew Gething

Andrew is the founder and managing director of MorganAsh. Andrew, a recognised consumer vulnerability specialist and champion, is the driving force behind the award-winning consumer vulnerability management tool, MARS – adopted in the financial services, credit and utilities sectors.

Next

Customer vulnerability management: we need a car, not a faster horse