Ten Years In EMEA. Here's What Actually Matters.
Abacus marks a decade serving financial services firms in region. Not a moment for self-congratulation but a moment to be direct about what we’ve learned and where the landscape is heading.
Abacus opened its EMEA operation in 2016 with a single objective: earn the right to exist in a market that doesn’t tolerate second-rate IT in financial services. There was no grand launch. The first office was borrowed space, shared with a client who trusted us enough to give us a foothold. The focus was credibility, not volume.
Ten years later, we operate across London, Edinburgh, Dubai, and Abu Dhabi, serving more than 1,200 clients and over 100,000 managed users across 25 countries. We’ve acquired four businesses, moved offices four times, navigated a pandemic, weathered the fastest period of change in cybersecurity history, and delivered record client satisfaction scores while doing it. None of that happened by accident.
This isn’t a retrospective for its own sake. The point isn’t to celebrate. The point is that a decade of operating inside regulated financial services firms through world events, a wave of ransomware, and a regulatory environment that’s moved faster than most firms could track, has given us a perspective worth sharing.
The First Five Years: Earning the Right to Be Here
The early years in EMEA were about proving that a US-headquartered firm could operate with genuine credibility in the UK market. Not as a satellite office with decisions made three thousand miles away, but as a committed, locally accountable partner to some of the most demanding clients in financial services; hedge funds, asset managers, and private equity firms who had no patience for learning curves.
We quickly learned that reputation in this market is earned client by client, referral by referral. There is no shortcut, and the community talks. If you do the job properly, that travels. If you don’t, it travels faster.
The years we spent building our delivery model under genuine client pressure, rather than scaling it prematurely, are the reason our retention held when others were churning.
COVID was the first real proof point. When the entire financial services sector moved to remote working almost overnight, our clients didn’t notice a disruption because of the infrastructure decisions made years earlier.
The Next Five Years: Proving You Can Scale Without Losing Trust
Growth changes the nature of the problems you face. The question stops being ‘can we deliver?’ and starts being ‘can we deliver at scale, consistently, without the quality diluting?’ That transition is where firms lose clients. It’s also where they lose their culture.
For Abacus, the second five years were defined by several deliberate choices. The investment in Client Experience as a formal discipline that owns the relationship and the quality of every client touchpoint was one of them. The recognition that individual heroics don’t scale was another. Deep, resilient teams outperform talented individuals over time, every time.
The acquisitions of Gotham Security in 2022, and Tribeca Technology Group and Entara more recently, weren’t about revenue lines. They were about closing capability gaps that we knew our clients were going to need, including red team testing and incident response.
The physical footprint grew to match. The opening of the Edinburgh office gave us a permanent base in Scotland’s financial services market, and the move to Palladium House in London, now our EMEA flagship headquarters, was a statement of permanence in the market that built us. Offices aren’t achievements in themselves, but a message to clients: we are not going anywhere.
The expansion into the UAE was a natural extension of where our client base was going. The DIFC and ADGM regulatory environments are maturing rapidly. The questions those firms are asking about cyber risk governance, AI adoption, and satisfying increasingly demanding regulators are the same questions we’ve been answering in London and New York for years.
What a Decade in Financial Services Cybersecurity Actually Teaches You
Ten years of working with regulated financial services firms through a period of relentless change produces a set of observations that are worth sharing.
Cyber risk became a board conversation somewhere around 2021. Before that, it was largely an IT conversation. The shift happened because incidents became consequential enough that regulators started asking boards directly. The firms that had been investing in security posture before the pressure arrived were in a fundamentally different position to those who started investing after their first breach or their first regulatory letter.
Demand for independent red team testing and external audits has grown rapidly in the last two years. The Financial Conduct Authority’s (FCA) direction of travel on operational resilience has been clear for some time; firms that treat it as a compliance exercise are now realising it was a capability requirement.
AI has changed the threat landscape in ways that matter, but not always in the ways the industry has focused on. The attack vectors that did the most damage in 2025 weren’t novel, they were credential theft, unprotected remote access, and social engineering, executed faster and at greater scale because of AI. The lesson isn’t that you need AI-specific defences, it is that your fundamentals need to be airtight before you can worry about the sophisticated edge cases.
Finally, regulation is accelerating. The Cyber Resiliency Bill, the FCA’s operational resilience framework, DORA for firms with EU exposure – the direction is the same everywhere. Regulators are not waiting for the industry to develop best practice; they are setting it. The firms that treat regulatory requirements as a ceiling rather than a floor are the ones that will find themselves constantly catching up.
What the Next Phase Looks Like
The next phase for Abacus isn’t about establishment or scale – it is about impacting how AI adoption gets governed inside regulated firms, how cyber risk gets quantified and communicated at board level, and how the industry sets best practices rather than adhering to them.
AI governance is the defining challenge of the next few years for financial services CIOs and CISOs. The FCA and Bank of England have been unambiguous: the absence of a rulebook is not a reason to delay. Firms that wait for regulatory prescriptiveness before deploying AI responsibly will find themselves behind both their peers and the regulators when the rules arrive.
Simultaneously, the threat surface created by AI adoption is real and growing. More AI-generated content means more sophisticated social engineering and more speed in AI-augmented attacks means the window between initial access and full environment compromise continues to shrink. The organisations that fare best won’t be the ones with the most advanced tools, but the ones that closed their foundational exposures first.
For service providers, data and process-driven delivery is no longer optional, and client expectations in terms of visibility, reporting, and accountability have risen sharply. MSPs must invest heavily in operational infrastructure to meet this bar.
The Honest Reflection
A decade in any market produces lessons that only come from doing the work.
Satisfied clients are your most effective marketing investment. That has been true every year we’ve operated and it becomes truer as the market gets noisier. The referral that comes from a client who trusts you absolutely is worth more than any campaign.
Focus protects reputation. Depth in the markets you know beats breadth across markets you don’t. The decisions about what not to do are often harder than the decisions about what to do, and more important.
Leadership must shift focus from execution to creating the conditions for others to grow. The team that Abacus EMEA has built over the last decade with people who came in early and grew with the business, now carry our capability and culture forward. They are the most important thing we’ve built; everything else is a by-product of that.
