A security pro sees increased attacks on registered investment advisers

Registered investment advisers, also known as RIAs, provide financial advice, with an accompanying fee structure generally tied to the value of a client’s assets. That fee, in theory, keeps investors’ interests aligned with their clients’.

Hackers are also leaning on RIAs—but not for help with their portfolios.

Ryan Quirk, founder and managing director of risk mitigation firm Sparrow Risk Group, has observed what he called a “marked increase” in sophisticated email-based social engineering attacks targeting both RIAs and their supporting vendors.

Smaller RIAs lack the budget, expertise, and resources of bigger outfits that can afford enterprise-level security, according to Quirk.

“There is a unique rise in the risk to those RIAs and family offices that these larger firms are able to mitigate due to the fact that they have these large cybersecurity divisions that they’re paying millions of dollars for,” Quirk told us. “These RIAs don’t have the capability to afford that.”

Security weaknesses. According to the most recent Investment Adviser Association snapshot, released in May 2025, there were 15,870 advisers registered with the SEC in 2024, up from 13,880 in 2020. Most of these advisory organizations have fewer than 100 employees.

Some notable ransomware attacks on RIA firms include Hightower and Mercer Global Advisors, both earlier this year. Despite the obvious threat, just 57% of RIAs have recently increased their security budgets, according to an August 2025 survey of more than 300 US financial executives, conducted by managed IT services company Omega Systems. Meanwhile, 11% of RIAs said they significantly decreased their IT spend last year.

Quirk spoke with us about RIA risk levels—and what investors should demand of their advisories.

The conversation below has been edited for length and clarity.

Are registered investment advisories on the rise?

The space has really grown exponentially, in the last five years or so…they fall under varying regulatory compliance, whether it’s the SEC, FINRA, state boards, or a combination of all three. A lot of wealth managers are working for the big wirehouses—the big names everyone would know for where you park your money, invest it, and have them manage your portfolio. And they’re breaking out on their own—whether it’s people they went to school with, or people that they worked with on a project or at another company. They are having great success, and it is more of a personal feel for the investor.

Why are they a target lately?

The RIA, by design, has access to high net-worth or ultra-high net-worth individuals, so those digital threads that connect the RIA and vendors and subcontractors…Those create different exploitable attack vectors.

What is the main tactic you’ve seen used against financial advisory firms?

The biggest misconception is that these attacks are highly technical. Often they’re not. Most breaches in financial advisory firms start with identity, not infrastructure. It’s your identifiable information that they can then use to socially engineer you…so first is credential compromise: That’s phishing attempts, that’s multi-factor authentication fatigue.

What security controls should investors demand of their RIA groups given these threats?

First, I would recommend identity hardening. That would be multi-factor authentication, but do not use text messaging [for risk of SIM-swapping attacks]. There are a variety of apps you can use that are more secure…I like using different apps, so that way, if they get access to my Google account, I don’t use Google Authenticator, because they could potentially get into that. I use apps that are completely unconnected, so they would have to really do a good job to get my credentials.

What do you recommend for transaction verification?

When money is moving, you want some sort of what I call a “dumb” redundancy. When everything’s going high speed, I like to slow it down and go analog. In a digital world, if you go analog, it’s very hard for the hackers to follow you. What I’ve done, and this is a recommendation that I give clients—you can implement it in 15 minutes, and it’ll cost $0:

You ask AI to spit out 52 words that are between seven and 10 letters in length; it’ll just give you random words. Then, you print that out and give that to your key executives. Then, any transaction of money over X amount, in order for that transaction to go through, someone has to give you the “word of the week.”