The Agency handling your customer data probably doesn't have Cyber Essentials. Ask Them.

The risk that is not on your risk register

Your customer database is, as we have argued before, one of the most valuable assets your business owns. It contains purchase history, behavioural data, email addresses, phone numbers, postal addresses. In some cases it contains payment instrument references, subscription preferences, and loyalty tier information. For a mid-size DTC brand, that database might represent hundreds of thousands of records built over years of acquisition spend.

Now ask yourself a simple question: how many of the third parties with access to that data can demonstrate, with a government-recognised certification, that they have basic cyber security controls in place?

For most brands, the honest answer is: they have never checked.

That is the gap this article is about.

What Cyber Essentials actually is

Cyber Essentials is a UK government-backed certification scheme, overseen by the National Cyber Security Centre, that verifies an organisation has implemented five foundational security controls: firewalls, secure configuration, user access control, malware protection, and patch management. There are two levels - a self-assessed version and Cyber Essentials Plus, which includes an independent technical audit.

It is not ISO 27001. It is not a comprehensive information security management framework. It does not claim to be. What it is, and this is the important bit, is the minimum standard. The government's own baseline for what any organisation handling data should have in place before it touches anything sensitive.

Certification starts at £320 plus VAT. The process, for a reasonably organised business, takes weeks rather than months. It is not burdensome. It is not expensive. It is not technically exotic.

Which makes the number of agencies, consultancies, and technology partners operating in the ecommerce space without it genuinely surprising.

The supply chain nobody is auditing

The conversation about data security in ecommerce tends to focus on the brand itself. GDPR compliance, cookie consent frameworks, privacy policies, breach notification obligations. These are legitimate concerns and the regulatory attention is appropriate.

What gets less attention is the supply chain of third parties that touches the customer data on behalf of the brand. The email marketing agency that has admin access to your Klaviyo account and therefore your full subscriber list. The CRM consultancy running your flows and exporting segments. The development agency with access to your Shopify back end. The freelancer who was given credentials eighteen months ago and whose access was never reviewed.

Each of those access points is a potential vulnerability. Not because the people involved are untrustworthy, but because cyber attacks are not typically targeted at specific individuals. They exploit weak configurations, unpatched systems, and poor access controls, the precise things that Cyber Essentials certification is designed to verify are in place.

A brand that has invested in GDPR compliance and data governance internally, but hands access credentials to a third party that has never been asked about its security posture, has a significant gap between its stated commitment to data protection and its actual risk exposure.

The numbers are not reassuring

92% fewer insurance claims are made by businesses and organisations with Cyber Essentials controls in place. That figure is from the NCSC itself.

With nearly half of UK businesses impacted by cybercrime last year, securing your supply chain is more important than ever.

The pattern in most breaches involving agencies or third-party access is not sophisticated nation-state activity. It is basic: default credentials not changed, MFA not enabled, software not patched, access not revoked when a team member leaves. These are not advanced attack vectors. They are the digital equivalent of leaving the office door unlocked because nobody on the team thought it was their job to lock it.

Cyber Essentials certification does not prevent every attack. Nothing does. What it does is close the doors that most attackers are simply checking are open.

Why the GDPR framing is insufficient

Most brands, when they think about data risk with third parties, think about it through a contractual lens. Data Processing Agreements. GDPR Article 28 obligations. Standard contractual clauses. These are necessary, and if your legal counsel has not ensured they are in place with every data processor, that conversation needs to happen.

But a Data Processing Agreement is a document. It describes obligations. It does not verify that the controls exist to fulfil those obligations. An agency can sign a DPA confirming it will implement appropriate technical measures to protect personal data, while running an organisation where half the team share a single login, software updates get deferred indefinitely, and no-one has looked at the firewall configuration since the office moved.

The DPA describes the commitment. Cyber Essentials certification verifies, at least at a baseline level, that there is something behind it.

For brands serious about data governance, the two are not substitutes. They are complements. The contractual framework and the technical verification should both be in place.

The question worth adding to your next agency briefing

There is a practical implication here that is more actionable than most security conversations tend to be.

When you next brief an agency, onboard a new CRM partner, or extend access to a third-party tool, add one question to your process: do you hold Cyber Essentials certification, and can you share the certificate?

If the answer is yes, you have a baseline level of assurance that the five foundational controls are in place. The certificate is valid for twelve months and must be renewed annually, so it also tells you something about whether the organisation treats security as an ongoing discipline rather than a one-time box-tick.

If the answer is no, that does not automatically disqualify the supplier. But it should prompt a conversation. Why not? Is certification in progress? What controls are in place in its absence? The answer to that question is revealing.

And if the answer is a blank look followed by a pivot to talking about how seriously they take client data, that is information too.

The certification brands should consider holding themselves

This conversation is not only about what to ask of third parties. It applies to brand operators directly.

Cyber Essentials certification is available to organisations of any size. Holding an up-to-date certificate enables a business to bid for government contracts where handling of financial or personal data is involved. For brands with ambitions in the public sector or working with regulated industries, it may move from desirable to required.

Beyond the contractual applications, there is a commercial case. Customers are increasingly aware that their data has value and that its protection is not guaranteed. A brand that can point to independent certification of its security controls has a genuine, demonstrable differentiator from one that cannot. That may not be a headline claim in most DTC marketing. But in B2B contexts, in procurement conversations, and in any situation where a sophisticated buyer is assessing whether to trust a brand with their data, it matters.

For UK-based organisations with an annual turnover of under £20 million, Cyber Essentials certification comes with an automatic free cyber liability insurance policy upon achieving certification - typically including cyber liability indemnity cover up to £25,000. For brands in the growth phase, that is a meaningful additional benefit attached to a certification that costs a few hundred pounds.

The structural point

The reason this article is not a checklist of security best practices is that the challenge most ecommerce brands face here is not a knowledge gap. The information about Cyber Essentials is freely available. The certification process is straightforward. The cost is negligible relative to almost any other line in a marketing or technology budget.

The gap is one of priority and framing.

Data security tends to get treated as a compliance function. Something that sits with legal or IT, surfaces at audit time, and is otherwise not particularly visible to the commercial and marketing leadership making decisions about which agencies to use and which third parties to trust with access.

The reframe is this: your customer database is a financial asset. The access you grant to third parties is access to that asset. The security posture of those third parties is therefore a material consideration in how well that asset is protected.

Brands that understand their customer data as a strategic, commercial asset tend to be more deliberate about every aspect of how it is managed. That should include who touches it, under what controls, and whether those controls have been verified by anyone other than the supplier themselves.

Cyber Essentials is not a silver bullet. It is a starting point. But it is a starting point that is government-backed, independently assessed, publicly verifiable, and costs less than a decent team lunch.

Start asking for it.

VALIX is a Klaviyo Platinum Master Partner specialising in CRM strategy, lifecycle marketing, and customer data for DTC and subscription brands. If you want to talk about how your customer data is being managed - technically and strategically - get in touch.