The 6 Most Common Cyber Threats Targeting RIA Firms Today

Incident Response

Adelia Risk provides RIA cybersecurity services to wealth management firms, and the question principals and chief compliance officers ask us most often is what they should actually worry about.

Below are the six most common cyber threats targeting RIA firms today, what each one looks like, and what the SEC now expects you to do to stay protected. After reading this article, see our RIA cybersecurity guide to learn everything you can about protecting your RIA firm from cyberattacks.

The Most Common Cyber Threats RIAs Face: The Short Answer

The most common cyber threats targeting RIA firms today are phishing (including voice phishing), credential stuffing, ransomware, third-party and vendor breaches, business email compromise and wire fraud, and client account takeover. Here is what each one looks like in a single line:

  1. Phishing: a fake email or phone call that tricks an employee into handing over a password or approving a login.
  2. Credential stuffing: attackers replay passwords leaked from other breaches until one works on your systems.
  3. Ransomware: malware that encrypts your files and holds them hostage, increasingly paired with data theft.
  4. Third-party and vendor breaches: an attacker reaches your client data through a service provider you trusted.
  5. Business email compromise and wire fraud: a compromised email account is used to send fake payment or wire instructions.
  6. Client account takeover: a client’s own email or device is compromised and used to move money in their name.

The rest of this page walks through each threat with recent examples, then covers your obligations under the SEC’s amended Regulation S-P.

Alert sign reading "Beware Phishing Emails" as warning of the top cyberattack risk for RIA firms

Why Hackers Target RIA Firms Specifically

RIA firms sit in an spot that is a perfect place for hackers to target. That’s because they are the connection between high-net-worth money and the instructions that move it. That makes you a high-value cyber threat target, because the same account you use to service a client can also authorize a transfer.

You also hold the data attackers want to sell or reuse, including:

  • Social Security numbers
  • Account numbers
  • Custodian details
  • Financial-planning documents

These are all located in your systems and your vendors’ systems. All the hackers have to do is get in.

And most RIA firms are small. There were 15,870 SEC-registered investment advisers in 2024, and the vast majority are shops with fewer than 100 employees (Investment Adviser Industry Snapshot). Those firms rarely have a full-time security team, which leaves high-value data behind lean defenses.

Top Cyber Threats for RIAs and Wealth Management Firms

These are the top six cyber attacks we see on RIA firms.

1) Phishing

Phishing is a fake message that tricks someone into giving up a password, an account number, or a login approval. It remains one of the top ways attackers get their first foothold. The 2025 Verizon Data Breach Investigations Report ties 16% of breaches to phishing, ranking it third as an initial access vector, behind credential abuse (22%) and vulnerability exploitation (20%).

We see this firsthand. As part of our RIA cybersecurity service, Adelia Risk sends simulated phishing emails to client teams, and careful, security-conscious professionals still click the fake links. That is the point: good phishing is convincing, and a click is a process gap to fix, not a character flaw.

The most effective ones pretend to be sent from Human Resources, your IT team, or, increasingly, from someone you know, either inside or outside the company.

The newer twist is voice phishing (vishing), the same trick over the phone. Since late 2025, the extortion group ShinyHunters has run a voice-phishing campaign that calls employees and help-desk staff to steal Okta, Microsoft, and Google single sign-on credentials, then enrolls the attacker’s own device to get past two-factor authentication. The same group has been tied to a wave of cyber attacks on RIAs.

Learn more in our article on SEC cybersecurity guidance on phishing.

2) Credential Stuffing

Credential stuffing is an automated attack. Attackers take username-and-password pairs leaked from other companies’ breaches, then use scripts to try those pairs against your logins. It works because people reuse passwords. The SEC’s examination staff warned advisers about this pattern in a September 2020 risk alert, and it is only more relevant now that stolen credentials are the leading way attackers break in.

There are two main ways to reduce the risk. First, use a different password for every account, stored in a password manager, so one leaked password does not unlock the rest. Second, turn on two-factor authentication (often called MFA) everywhere it is offered.

Apply that two-factor requirement at your identity provider (Microsoft Entra ID, Okta, or Duo) so it covers every connected application at once. That makes a replayed password far less useful because the password alone is no longer enough to get in.

3) Ransomware

Ransomware attack encrypting personal files, a major cyber threat for RIA firms

Ransomware is malware that encrypts your files and holds them hostage until you pay. It is not just a big-company problem. The 2025 Verizon DBIR found ransomware present in 44% of all breaches, and in 88% of breaches at small and midsize businesses, the category most RIA firms fall into. Increasingly, attackers steal a copy of your data before encrypting it, so they can threaten to leak it even if you restore from backup.

Your team should recognize the warning signs: screen-locking pop-ups, files that suddenly carry unfamiliar extensions, errors when opening documents, and strange files no one created. If it happens, isolate the affected machines, identify the strain, report the incident through your incident-response plan, and rebuild from clean backups rather than paying blind.

Prevention comes by keeping offline backups;. Make sure to keep devices patched. Finally, run endpoint protection with ransomware defenses; and treat unexpected links and attachments with suspicion. For a deeper walkthrough, see Can You Spot the Signs of Ransomware? and our ransomware playbook of 31 critical questions.

4) Third-Party and Vendor Breaches

You are only as secure as the vendors who hold your data. An attacker who cannot get into your systems will often go after the custodian, the CRM, or the marketing tool that syncs your client list, and 2026 has made that concrete for RIA firms.

In February 2026, Edelman Financial Engines (one of the largest independent RIAs in the US, managing roughly $326 billion for about 1.24 million clients) disclosed that an attacker accessed the names, Social Security numbers, and financial-planning data of 5,083 clients on January 7, 2026. In March 2026, Hightower Advisors disclosed that intruders using compromised employee accounts had stolen data on 131,483 people in January 2026.

Around the same time, the extortion group ShinyHunters claimed it had stolen client data from Mercer Advisors (about $92 billion in assets) and Beacon Pointe Advisors (about $62 billion), setting a February 18, 2026 deadline to pay or see the data leaked, and when the firms refused, it published records. The record counts in that campaign are the attackers’ claims. The firms confirmed the intrusions but described narrower scope, and Beacon Pointe said the incident touched less than 0.5% of its clients. Class-action suits followed.

The practical defense is a repeatable vendor-risk process:

  1. List your vendors: every service that stores, processes, or can access client data.
  2. Request evidence: a SOC 2 report from larger vendors, or an information-security policy and training records from smaller ones.
  3. Review and follow up: read what they send and ask about anything missing or weak.
  4. Respond to the gaps: tighten the contract, add security requirements, or end the relationship if the risk is too high.
  5. Schedule the next review: put a reminder on the calendar to repeat this annually.

This is no longer just good practice. As covered in the next section, the SEC’s amended Regulation S-P makes written service-provider oversight, including contract terms that have vendors notify you of a breach within 72 hours, a documented requirement. For the full method, see our guide to third-party vendor risk management.

5) Business Email Compromise and Wire Fraud

Business email compromise (BEC) is when an attacker gets into an email account and uses it to send fraudulent payment or wire instructions. It is one of the most expensive scams in the country. In fact, the FBI’s Internet Crime Complaint Center logged $2.77 billion in reported BEC losses across 21,442 complaints in 2024 alone, second only to investment fraud.

For an RIA, the classic version starts with a compromised client mailbox. The scammer watches for the right moment, then emails you asking to change wire instructions or send funds to a new account. The message looks legitimate because it comes from the client’s real email address.

The control that helps catch this is a verbal callback. Confirm any new or changed payment instruction by calling the client back on a phone number you already have on file, not a number in the email. That second step breaks the scam when money is about to move.

We’ve seen this happen at far too many RIAs over the past few years.

6) Client Account Takeover

Your firm can do everything right and still be exposed through a client. If a client’s email or home computer is compromised, an attacker can use that access to impersonate them and try to move money, which is why client account takeover is a threat to your firm.

Here are the tips we share with clients most often:

  1. Turn on two-factor authentication on every important online account, especially email and financial logins.
  2. Use a long, unique password for each account, stored in a password manager.
  3. Be skeptical of unexpected phone calls asking for sensitive information. Hang up and call the institution back on a number you trust.
  4. When in doubt about a request, verify it by calling a known contact directly before acting.

If a client is already compromised, our client account compromise response guide walks through the exact steps to take.

Business professional using tablet with cybersecurity network graphics symbolizing RIA cyber risk management

Your Employees Are the Last Line of Defense

Employees are often called the weak link, and one clicked link or lost laptop can undo a lot of good work. However, a better frame is to treat your team as the last line of defense rather than the first point of failure.

That means regular training and a culture where reporting a suspicious email is welcomed. Simulated phishing (sending your own team safe test emails) turns training into a habit and shows you where the real gaps are.

What the SEC Now Expects RIAs to Do About Cyber Threats

The SEC’s amended Regulation S-P is now in effect. Adopted in May 2024, its compliance deadlines have passed for both larger firms (December 3, 2025) and smaller firms (June 3, 2026), so these are current obligations.

The amended rule requires RIA firms to:

  • Maintain a written incident-response program for security events involving customer information.
  • Notify affected customers as soon as practicable, and no later than 30 days, after determining that sensitive information was or likely was accessed.
  • Oversee service providers, including contract terms designed to have vendors notify you of a breach within about 72 hours.
  • Keep records of the program and any customer notifications for five years.

Regulation S-ID, the identity-theft “red flags” rule, applies to RIA firms that maintain “covered accounts,” and every adviser is expected to assess and document whether it does. And the SEC Division of Examinations’ 2026 priorities, released November 17, 2025, single out Regulations S-P and S-ID as focus areas for adviser exams.

If you want a structured starting point, our RIA cybersecurity policy checklist template maps these requirements to concrete policies.

How to Protect Your RIA Firm

You cannot reduce these risks to zero, but a focused set of controls covers most of what the threats above rely on:

  1. Two-factor authentication everywhere, enforced at your identity provider.
  2. A password manager so every account has a long, unique password.
  3. An email security layer to filter phishing and spoofed messages.
  4. Endpoint protection (EDR) on every computer to catch and contain malware.
  5. Tested, offline backups you have actually restored from, so ransomware is a bad day and not a closure.
  6. Regular training and simulated phishing for your team and your clients.
  7. A written vendor-risk program tied to your Regulation S-P service-provider oversight.

None of these requires an enterprise budget. Working through them in order is how a small firm gets most of the protection for a fraction of the cost.

Frequently Asked Questions

What are the most common cyber threats targeting RIA firms today?
The most common cyber threats targeting RIA firms today are phishing and voice phishing, credential stuffing, ransomware, third-party and vendor breaches, business email compromise and wire fraud, and client account takeover. Nearly all of them start with stolen credentials or a tricked employee, which is why two-factor authentication and training carry so much of the load.

Have RIA firms actually been breached?
Yes. RIA data breaches have been real and recent. In early 2026, Edelman Financial Engines disclosed a breach affecting 5,083 clients, Hightower Advisors disclosed one affecting 131,483 people, and the extortion group ShinyHunters claimed and then leaked data from Mercer Advisors and Beacon Pointe Advisors. These were large, well-run firms, a reminder that size is not protection.

What is the best phishing protection for RIA firms?
No single product handles it. The most effective approach is layered: an email security service to filter malicious messages, two-factor authentication at your identity provider so a stolen password is not enough, and ongoing training reinforced by simulated phishing.

What does the SEC require RIAs to do after a data breach?
Under the amended Regulation S-P, RIA firms must maintain a written incident-response program and notify affected customers no later than 30 days after determining that sensitive customer information was or likely was accessed. The rule also requires service-provider oversight and recordkeeping.

Does Your RIA Firm Need Help With Cybersecurity?

Adelia Risk provides cybersecurity built for small, high-value firms in regulated industries like wealth management. We handle the whole program, from two-factor authentication and vendor oversight to Regulation S-P documentation, so you can show examiners a real security posture instead of scrambling after an incident. Learn about our RIA cybersecurity services.

Table of Contents

Picture of Josh Ablett

Josh Ablett

Josh Ablett, CISSP, has been meeting regulations and stopping hackers for 20 years. He has rolled out cybersecurity programs that have successfully passed rigorous audits by the SEC, the FDIC, the OCC, HHS, and scores of customer auditors. He has also built programs that comply with a wide range of privacy and security regulations such as CMMC, HIPAA, GLBA, SEC/FINRA, and state privacy laws. He has worked with companies ranging from 5 people to 55,000 people.

Share

Related Posts

When firms think about cybersecurity, they’re tempted to focus on the tech.  Hopefully, you’re already having

Do you think we might be a good match?

Healthcare Cybersecurity Services​ Page