Three decades at the intersection of regulation, the boardroom and the lab.

I began my career in the mid-1980s, studying Computer Science and Engineering at IIT Kanpur and then Management at IIM Calcutta. Those two foundations — one in how systems work, one in how organisations do — have shaped everything since.

My early career was spent across banking and insurance: senior roles in investment banking, Head of Asset Management, Head of Business Risk and Controls, and ultimately Board Director within subsidiaries of the BNP Paribas Group. During those years I sat on boards, managed capital, navigated credit and market risk through difficult cycles including the 2008 global financial crisis, and represented the UK as a National Expert at the European Commission. I came to understand that technology and operational failure are as dangerous to a firm as financial loss — and far harder to see coming.

In 2011 I joined the Bank of England's Prudential Regulation Authority. Fifteen years on, I have specialised in the disciplines that most organisations still treat as compliance obligations rather than business imperatives: operational resilience, cyber risk, IT and outsourcing risk across the insurance sector. I have reviewed the operational resilience of more than 150 firms — life, annuity, motor, managing agents, asset managers and run-off — and led the PRA's work across more than a dozen CBEST and STAR-FS assignments. I have managed the regulatory response to hundreds of incidents and material outsourcing notifications. I represented the UK on EIOPA's Cyber and IT Project Group and on the cyber stream of the EU–US Insurance Project, giving me first-hand insight into how regulators in different jurisdictions approach the same problems.

What distinguishes me from most practitioners in this space is that I do not only advise — I build. Since 2019 I have run a private research laboratory in which I test every recommendation I give before I give it. I coined the term Cryptoagility to describe an organisation's ability to swap out its cryptographic algorithms, and I practise it. I created the world's first public platform for generating NIST FIPS-compliant post-quantum cryptographic key pairs (Kyber.Club), implemented quantum-safe server configurations years ahead of industry timelines, and operate infrastructure that independent evaluations consistently place at the top of any security benchmark.

I will be leaving the PRA in July 2026 after fifteen years of service. From August 2026 I am available for board, advisory, speaking and executive engagements globally. My goal is to bring what I have spent three decades building — the regulator's instinct for risk, the builder's understanding of what is actually possible, the director's experience of how boards make decisions — to organisations that take resilience seriously.