RIA cybersecurity: training-first gap

Charles Schwab's 2024 RIA Benchmarking Study, drawn from 1,304 advisory firms managing $2 trillion in assets, contains a striking inversion. Ninety-seven percent of firms with $250 million or more under management offer employee cybersecurity training. Ninety-four percent conduct network monitoring. But only 67% maintain written cybersecurity policies and procedures, and just 57% provide client cybersecurity education.

The numbers describe a profession that has invested heavily in defensive perimeters (awareness training, monitoring infrastructure) while the documented basis for that defense and its weakest external link remain comparatively thin.

This is not an abstract gap. Between January and March 2026, a single threat actor systematically breached six US registered investment advisers, wealth managers, and related advisory firms. The total exposed: roughly 2.6 million records, including the personal information and in some cases the full financial profiles of clients who collectively manage hundreds of billions in assets. None of these firms were unprepared by the dominant industry standard. None were untrained. Several were almost certainly inside the 97% and the 94%. The pattern echoes a parallel cluster that we examined earlier in the law firm sector in 2025 and 2026: third-party advisors holding dense client information, breached at scale.

What the campaign revealed is that training-first programs target a class of attack the campaign rarely used.

The ShinyHunters Wall Street campaign, January to March 2026

ShinyHunters is a data-theft and extortion group operating on a pay-or-leak model. They steal data, demand payment, and publish to a Tor-based leak site if unpaid. They do not encrypt files. They do not disrupt operations. Their attack signature is the absence of one until the extortion email lands or the firm's data appears for sale on a dark-web index.

This matters operationally. Ransomware attacks announce themselves: workstations lock, services fail, incident response triggers within hours. Pay-or-leak attacks are silent. The firm often does not know it has been breached until weeks after the data has left, frequently learning only when the extortion clock has already started. Training employees to recognise suspicious activity is meaningless in that interval, because there is no activity to recognise.

Six US firms in the RIA, wealth management, and financial advisory sector were claimed by the group in the first quarter of 2026:

Betterment

January 9, 2026. Approximately 1.4 million customer records compromised. The firm disclosed that the attack involved third-party software platforms used for marketing and operations rather than Betterment's own infrastructure. Customers received fraudulent cryptocurrency-impersonation messages on the same day. Two class-action lawsuits followed.

Mercer Advisors

January 22 to 25, 2026 (access window); breach determination March 25, 2026. Approximately 143,000 individuals affected per state notification filings. Notification filed with the Maine Attorney General; affected individuals offered 12 months of Experian IdentityWorks. ShinyHunters issued public "final warning" extortion communications in February 2026 demanding payment by February 18.

Beacon Pointe Advisors

Initial access January 30, 2026; identified February 1, 2026. More than 100,000 records compromised including Social Security numbers, financial account details, and driver's licences. The breach resulted from a social engineering attack. Vermont Attorney General notice filed February 20, 2026. Massachusetts Attorney General also notified.

Pathstone Family Office

Listed on the ShinyHunters leak site February 27, 2026, with a ransom deadline of March 2, 2026. The exfiltrated dataset reportedly contained 641,000 records including detailed profiles of 91,257 unique clients with liquid net worth and annual income figures, Salesforce-driven client records, contracts, legal paperwork, and estate planning details. The dataset reportedly originated from a 15 GB Salesforce export. Pathstone operates 23 offices across a dozen states, serves more than 750 families, and manages approximately $170 billion in aggregate assets. As of mid-May 2026 the firm had not issued public breach notifications, while its exfiltrated data was already listed for sale.

Ameriprise Financial

Unauthorised access March 2, 2026; discovered March 18, 2026; individual notifications began April 17, 2026. Approximately 47,876 individuals affected; the leak reportedly totalled 200 GB. The notification timeline sits visibly close to the 30-day boundary that SEC Regulation S-P now requires.

CFGI Management

Leak-site listing March 9, 2026. Over 800,000 PII records plus 40,000 financial documents leaked, exported from what appears to be an integrated CRM and ERP environment. CFGI is the most structurally interesting case in the cohort: the firm provides virtual CISOs, data privacy audits, IT compliance services, and is a registered Registered Practitioner Organization for the Cybersecurity Maturity Model Certification framework. A cybersecurity advisory firm could not secure itself.

The common vector

The common technical vector across the cohort was voice phishing (vishing) of the firms' own employees, leading to compromise of their Salesforce or SSO infrastructure. Betterment's post-incident reporting attributed the breach to vishing of Betterment staff that produced credential and MFA disclosure to attackers impersonating internal IT support. Pathstone's exfiltration reportedly originated from a Salesforce database. The CFGI leak structure suggests a similar CRM-side path. Multiple independent threat-intelligence analyses (Google Cloud Threat Intelligence, Obsidian Security, Push Security, Mitiga, Varonis) trace the 2025 to 2026 ShinyHunters campaign to a documented pattern: attackers call the firm's employees impersonating internal IT support, often using AI voice platforms such as Bland AI or VAPI to scale the calls. Successful calls result in the employee authorising a malicious OAuth connected application in Salesforce, or surrendering SSO credentials and MFA codes for Okta, Microsoft Entra, or Google. In either case the resulting data exfiltration looks like legitimate API access from the firm's own authorised integrations.

This vector matters because it is precisely the path that the prevailing training-first model is weakest against. The compromised data did move through the firm's own employees, but the employees were vished by phone rather than phished by email. The data then moved out through OAuth-authorised integrations and SSO-authenticated API calls that sit outside the perimeter most network monitoring is configured to watch.

What Pathstone tells us about the worst case

Most of the cohort lost what data breach disclosures call personal information: names, addresses, dates of birth, Social Security numbers, sometimes account numbers. This is the standard taxonomy of US data breach law. Identity-theft monitoring services follow.

Pathstone is the outlier and the warning. The exfiltrated database reportedly contained detailed profiles of 91,257 unique clients with liquid net worth, annual income figures, and Salesforce-driven client records including contracts, legal paperwork, and estate planning details. Pathstone serves more than 750 families holding approximately $170 billion in aggregate assets.

A breach of this shape produces a different secondary risk than identity fraud. It produces a curated, indexed targeting directory for high-net-worth attacks. Vishing campaigns with prior context. Deepfake impersonation calls referencing actual portfolio composition. Business email compromise that knows which counsel and which custodian to spoof. The data does not need to be sold for fraud; it is more valuable as intelligence for the next attack.

The asymmetry between this and a generic credential-stuffing breach is what makes the case load-bearing for the wider argument. Identity-theft remediation services address the first-order risk. They do not address the targeting-directory problem, because the targeting-directory problem unfolds over years and against different attack chains than the one that produced the leak.

Why training-first programs missed this

Training-first cybersecurity programs operate on a coherent model. Train employees to recognise phishing emails, suspicious links, and unusual requests. Monitor the network for anomalous access patterns. Trust but verify. This works against attacks that route through trained humans on the firm's own infrastructure.

The ShinyHunters cohort attacks did route through trained humans, but not in a way the email-phishing model addresses. The 2025 to 2026 campaign pattern involves:

Voice phishing (vishing) of the firm's own employees, with attackers impersonating internal IT support and frequently using AI voice platforms to scale the calls
Manipulation of the employee into either authorising a malicious OAuth connected application in Salesforce, or surrendering SSO credentials and MFA codes for Okta, Microsoft Entra, or Google
Data exfiltration through normal-looking API calls or legitimate-looking SSO sessions that produce no anomalous endpoint behaviour on the firm's network
Discovery weeks or months after the fact, often only through the extortion email or the leak-site listing

The training assumption that breaks here is modality. The 97% figure in the Schwab study refers overwhelmingly to email-phishing awareness training: recognise suspicious senders, hover over links before clicking, beware of unexpected attachments. Voice phishing defeats this training because the visual cues it emphasises do not appear on a phone call. The attacker on the other end of the line has the firm's directory, knows the employee's name and role, references a plausible internal IT initiative, and pressures urgency. By the time the employee disconnects and questions the call, the OAuth grant or SSO session is already in attacker hands. The 30-day Regulation S-P notification clock starts; the structural damage is done.

A deeper asymmetric problem sits underneath. Much of the data the attacker now holds is composed of information that did not strictly need to be in the integration in the first place. A Salesforce instance holding 91,257 client wealth profiles with liquid net worth figures is a product of CRM-completeness culture, not regulatory requirement. The principal-side personal data exposure that powers the next deepfake attack is composed mostly of information that is already publicly findable but never inventoried as a risk surface.

This is what attack-surface reduction means in operational terms. Not "stop the breach," because the breach found a different path than the one training was looking for. Rather: reduce what the breach yields when it inevitably happens, and reduce what is publicly available to power the next attack chain.

What the empirical literature now says about phishing training

The structural argument above does not depend on whether training itself works against the attacks it does cover. But the academic literature has converged in 2024 to 2026 on a stark finding: large-scale studies of phishing training in real-world organisational settings consistently fail to detect statistically significant reductions in click rates from training.

In April 2026, Rozema and Davis published a reproduction study at a US-based fintech firm with 12,511 participants. Two phishing training modalities were tested. The first used lecture-based videos plus a comprehension quiz. The second added a sequence of interactive phishing exercises. Both were compared against a control group of 462 employees who received no pre-test training. Across all conditions the overall click rate was 10.4%. The control group averaged 9.8%; the trained groups averaged 10.5%. Neither training modality produced statistically significant improvements in click rates (p=0.450) or reporting rates (p=0.417), with effect sizes below 0.01 by standard measures.

This reproduces earlier findings at similar scale. Lain, Kostiainen, and Capkun observed 19,000+ employees over a multi-year longitudinal study and found no improvement in security outcomes from training. Ho and colleagues studied 19,500+ healthcare employees and reached the same conclusion in 2025. Doing and colleagues studied bank employees in 2024; Hillman, Harel, and Toch studied 5,000 finance employees in 2023. Across roughly 60,000 employees in five large-scale real-world studies, the dominant industry practice of phishing awareness training has not produced measurable reductions in click rates.

What the same studies do find reliably is that the difficulty of the phishing lure predicts behaviour. Rozema and Davis validated the NIST Phish Scale at enterprise scale: 7.0% click rate on easy lures, 8.7% on medium, 15.0% on hard. Training modality did not change this gradient. Lure difficulty did. The fintech context also matters. Rozema and Davis explicitly note that financial services employees may have a higher baseline of security awareness than the general workforce, which means training failed against trained-by-default professionals. The implication for smaller RIAs whose training programs are less mature is direct.

The composite picture for an RIA principal: the 97% of firms investing in employee training are paying for an intervention that the peer-reviewed empirical literature now suggests has minimal causal effect on the behaviour it targets, while the 57% of firms whose client education is underdeveloped face the high-difficulty end of the spectrum where the data-rich deepfake-with-context attack operates. The Schwab inversion is not merely a structural imbalance. It is an active misallocation against the published evidence base.

The four-statute regulatory stack

US RIAs sit inside a denser cybersecurity-regulatory architecture than most firms outside the regulated financial sector realise.

SEC Regulation S-P (2024 amendments)

Adopted by the Commission in May 2024 and effective August 2, 2024, the amendments require covered institutions, including SEC-registered investment advisers, to maintain written policies and procedures for an incident response program, to oversee service providers with access to customer information, and to notify affected individuals of breaches affecting nonpublic personal information as soon as practicable but no later than 30 days after the firm becomes aware of the unauthorised access or use. Large RIAs with regulatory assets under management of $1.5 billion or more were required to comply by December 3, 2025. Smaller RIAs face a compliance deadline of June 3, 2026.

The timing of the cohort matters here. The Mercer Advisors, Beacon Pointe, Pathstone, Ameriprise, and CFGI breaches all occurred after the December 3, 2025 large-RIA compliance deadline. The Ameriprise notification lag, where the breach was discovered March 18 and individual notifications began April 17, sits visibly close to the 30-day boundary the rule now sets. Compliance with the rule did not prevent the breaches; the rule operationalises post-incident handling rather than prevention.

SEC Regulation S-ID

The Identity Theft Red Flags Rule at 17 CFR 248.201 requires financial institutions and creditors to develop and implement a written program reasonably designed to detect, prevent, and mitigate identity theft. RIAs that hold transaction accounts permitting account-holder transfers fall within scope. The rule remains live and supports a "you knew this was a foreseeable risk" framing where a breach yields downstream identity fraud.

Investment Advisers Act of 1940, §206

The foundational anti-fraud and fiduciary provision. §206(2) prohibits an investment adviser from engaging in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client. §206(4) supports SEC rulemaking. The SEC has historically used §206(4) to anchor cyber-related rule-making against RIAs, most prominently in the R.T. Jones Capital Equities Management settlement in 2015, the first cyber-related enforcement action against an RIA. The Commission alleged the firm had failed to adopt written policies and procedures reasonably designed to protect customer records and information, and the case settled for a $75,000 civil penalty. The framework remains the cleanest legal anchor for arguing that a fiduciary's duty to act in the client's best interest extends to operational security around client information.

NASAA Cybersecurity Model Rule (2019)

Adopted on May 19, 2019 by the North American Securities Administrators Association, the model rule covers state-registered investment advisers, approximately 17,000 firms with AUM below $100 million. It requires written physical security and cybersecurity policies aligned with the NIST cybersecurity framework's five functions: identify, protect, detect, respond, and recover. State-by-state adoption remains uneven. The model rule is the relevant framework for the long tail of smaller advisers that fall outside SEC registration but still hold meaningful aggregations of client personal data.

The composite picture: an RIA breached today has potential exposure under at least one and often two or three of these four authorities, depending on registration status, AUM, and the data taxonomy involved.

The §206 fiduciary-duty pivot

The framing question that matters more than any particular statute: is an RIA's duty to safeguard client information a fiduciary duty, or merely a regulatory compliance duty?

The SEC's modern position, expressed through Regulation S-P's structure and the still-pending Cybersecurity Risk Management Rule (proposed February 2022, not yet finalised), is closer to the former. The Reg S-P amendments require an incident response program that exists at the level of the adviser's overall obligation to its clients rather than as an IT-department compliance artefact.

The operational distinction matters. A compliance-duty framing treats cybersecurity as a checklist exercise: maintain the written policies, conduct the training, file the notifications. A fiduciary-duty framing requires the firm to ask whether the configuration of its operational systems, including the third-party platforms it has authorised to hold client data, is consistent with what a reasonable adviser would do in the client's best interest. A CRM instance that aggregates 91,257 wealth profiles into a single integration is harder to defend under the second framing than the first.

Most plaintiff bar theories building on the early 2026 cohort proceed under exactly this logic. The class-action complaints filed against Mercer Advisors, Betterment, and Beacon Pointe allege not merely breach-disclosure failures but underlying §206-shaped fiduciary breaches in the operational handling of client information. Whether courts ultimately accept the theory is unresolved. The fact that the plaintiff bar is now framing breach claims in §206 terms is what changes the risk picture for the firm.

E&O insurance: the second-order exposure

A cybersecurity incident at an RIA is not, by itself, an Errors & Omissions claim. E&O covers the firm against allegations of professional negligence in providing investment advice: failure to act with appropriate care, undisclosed conflicts of interest, suitability failures. But the secondary effects of an RIA breach reliably extend into E&O territory:

Class actions alleging the firm breached its fiduciary duty under §206 by failing to safeguard client information (the Mercer Advisors class-action complaint cites exactly this theory)
Regulatory enforcement creating findings that the firm later faces in civil actions
Specific transactional losses where the stolen data was used in subsequent fraud against the client

The RIA E&O insurance market in 2026 carries cyber-coverage exclusions or sublimits that frequently surprise the firm at the point of claim. Cyber liability insurance covers some of the technical incident response: forensics, notification costs, credit monitoring. It does not always cover the §206 fiduciary claims that arrive 12 to 18 months later from the plaintiff bar. The firms that discovered this gap in 2024 to 2025 are not the firms that planned for it.

The diligence question for any RIA principal is straightforward: does our existing E&O policy explicitly extend to fiduciary breach claims arising from cyber incidents, or does it carve them out? The answer is often the latter, and the silent reduction of coverage at the moment the firm most needs it is the second-order exposure that compounds the first.

What attack-surface reduction actually looks like for an RIA

For an RIA whose principal cybersecurity investments are in employee training and network monitoring (the 97% and the 94% of the Schwab study), attack-surface reduction is the structurally distinct work that often goes undone (closer to the 67% and the 57% gap). It has four operational components.

1. Inventory of principal and key-personnel personal data exposure

Most RIA cybersecurity inventories track systems access: who has admin credentials on what, which integrations have what tokens, which endpoints have which protections. They rarely track what is publicly findable about the firm's principals, board members, and key personnel across data brokers, people-search platforms, public records, regulatory filings, and lifestyle press. This is the foundational input to deepfake-and-vishing attack chains. Counter-OSINT inventory is its mirror image.

2. Suppression of unnecessary public exposure

Data broker records, residual people-search profiles, archived disclosures that no longer serve their original purpose. The objective is not invisibility but reduction of the targeting dossier an attacker can assemble before any contact. The lower the baseline, the less context an attacker has for the social engineering that powers the next breach.

3. Separation of high-value contact channels

Principal-to-principal communication, advisor-to-client communication on transactional matters, board-level deliberation about M&A or succession. These channels benefit from operating on infrastructure separate from general firm operations. The Ameriprise notification timeline illustrates the operational difficulty of mounting an incident response while business continues. Isolated channels narrow the surface.

4. Vendor and integration audit

The single most consequential operational lesson of the ShinyHunters Wall Street cohort: third-party software with broad access to client data is a larger attack surface than the firm's own network. Most RIAs cannot eliminate Salesforce, custodial-integration APIs, or marketing automation. They can audit what those integrations actually hold against what the business purpose actually requires, whether the volume can be reduced, and how the access tokens are managed, rotated, and scoped.

None of this is exotic security work. Most of it is information-architecture and governance work, aligned more with how a fiduciary thinks about client information than with how an IT department thinks about endpoints.

If the firm's principals and board are publicly findable in ways that power the next deepfake call, no amount of additional training closes the gap. A Corporate Audit maps that surface.

Talk to an Analyst

Six questions for the firm-side principal

The post-cohort diligence questions that determine whether an RIA is operationally aligned with the fiduciary frame or only the compliance frame:

Does our cyber program inventory employee, principal, and board personal-data exposure, or only system access? If the answer is only system access, the program is structurally blind to the targeting-directory attack chain.
Have we run a counter-OSINT review on principals and board members in the last twelve months? Most firms have not. The exposure usually expands rather than contracts over time as new disclosures (Form ADV, philanthropic announcements, lifestyle press, family-office filings) accumulate.
Is our breach notification SLA in the client engagement letter, or only in the privacy policy? Privacy-policy commitments are uncommonly read and uncommonly enforced. Engagement-letter commitments are documentary obligations.
Does our E&O insurance explicitly cover §206 fiduciary breach claims arising from cyber incidents, and have we obtained that confirmation in writing from the carrier? The verbal "you should be covered" is not the same as the policy language.
When did we last audit our written cybersecurity policies and procedures (the 67% gap)? Documentation that has not been touched since the Reg S-P compliance deadline does not survive contact with a real incident.
When did we last update our client cybersecurity education (the 57% gap)? This is the asymmetric link in the chain. It is the one most RIA programs admit is undertrained, and the one that the deepfake-with-context attack exploits directly.

These are not technical questions. They are governance questions. Most can be answered by the firm's compliance officer, principal, or general counsel without a security engineer in the room.

Why this is a Corporate Audit conversation

The work above is not an IT-managed-services engagement. It is closer to an OSINT-and-governance audit of the firm's actual attack surface as it appears to an external researcher. PI's Corporate Audit is shaped for this: a fixed-scope, fixed-deliverable engagement that produces an inventory of public exposure, an assessment of third-party data concentration, and a set of governance recommendations a firm's principals can take to the compliance committee.

It is not training. It is not network monitoring. It is the part of the program that the Schwab study suggests most firms have not yet built.

Sources

Schwab and industry data

Charles Schwab Advisor Services — "Don't get hooked: Phishing prevention tips for RIA firms" (ref 1224-65MV)
2024 RIA Benchmarking Study from Charles Schwab — methodology: n=1,304 firms representing $2T AUM, fielded January–March 2024, $250M+ AUM peer group used for cited figures

Academic literature on phishing training effectiveness

Rozema, A. T. & Davis, J. C. (2026). "Anti-Phishing Training (Still) Does Not Work: A Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale." WWW '26 Proceedings. Licensed CC BY 4.0. N=12,511 at US fintech firm.
Lain, D., Kostiainen, K., & Capkun, S. (2022). "Phishing in Organizations: Findings from a Large-Scale and Long-Term Study." N>19,000 employees, multi-year longitudinal.
Ho, G., Mirian, A., Luo, E., Tong, K., Lee, E., Liu, L., Longhurst, C. A., Dameff, C., Savage, S., & Voelker, G. M. (2025). "Understanding the Efficacy of Phishing Training in Practice." IEEE Symposium on Security and Privacy. N>19,500 healthcare employees.
Doing, A.-K., Bárbaro, E., Van Der Roest, F., Van Gelder, P., Zhauniarovich, Y., & Parkin, S. (2024). "An analysis of phishing reporting activity in a bank." European Symposium on Usable Security 2024, Karlstad, Sweden.
Hillman, D., Harel, Y., & Toch, E. (2023). "Evaluating organizational phishing awareness training on an enterprise scale." Computers & Security 132:103364. N=5,000 finance employees.

ShinyHunters campaign technical analysis (attack chain primary sources)

ShinyHunters campaign and Wall Street targeting

Individual firm coverage

Regulatory primary sources

SEC press release 2024-58 — "SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information"
Federal Register — Regulation S-P final rule (June 3, 2024)
FINRA — Cybersecurity Advisory: SEC Amends Regulation S-P
NASAA — "NASAA Members Adopt Investment Adviser Information Security Model Rule Package" (May 19, 2019)
SEC proposed rule — Cybersecurity Risk Management Rule for Investment Advisers and Funds (February 9, 2022, not yet finalised)
SEC enforcement — R.T. Jones Capital Equities Management settlement (2015, first cyber enforcement against an RIA)
Investment Advisers Act of 1940, §206

Regulatory commentary

Gibson Dunn — Regulatory Compliance Reminders for Investment Advisers
Proskauer Rose — Reg S-P compliance deadline analysis (December 3, 2025)
Holland & Knight — Regulation S-P Amendments compliance deadline for smaller entities (June 3, 2026)
McDermott — SEC Adopts Information Security and Notification Amendments to Regulation S-P
Sidley — 2025 Fiscal Year in Review: SEC Enforcement Against Investment Advisers

RIA cybersecurity in 2026: where training-first programs miss the actual attack surface