Two recent publications — CMORG’s Frontier AI Guidance and the FCA’s Emerging Technology Horizon Scan 2026 — point in the same direction:
AI is already reshaping financial services. It’s improving efficiency and client experience, but it’s also accelerating cyber risk in ways firms can’t afford to ignore.
You don’t need to become a technologist. But you do need confidence that your firm is protecting client data in a world where attacks are faster, smarter, and harder to spot.
Here's what matters:
AI is raising both productivity and risk
AI is already helping firms streamline admin, summarise research, automate workflows and improve service.
But the same tools are now in the hands of criminals.
Both the FCA and CMORG highlight a shift that matters:
- Vulnerabilities are being exploited faster than ever
- Fix windows are shrinking from weeks, to days, sometimes hours
- AI is lowering the skill barrier for cybercrime, enabling more attackers to operate at scale
In short: attacks are becoming quicker, cheaper and more frequent.
The FCA is clear that firms with weak cyber security will become progressively more exposed.
What advisers should do:
- Apply software updates quickly
- Use multi-factor authentication and strong, unique passwords
- Remove unused accounts and unnecessary software access
- Act quickly on anything suspicious
Scams are becoming harder to spot
AI has changed the quality of fraud.
Phishing emails, fake documents, cloned websites and even synthetic voices are now highly convincing. The obvious red flags — spelling errors, awkward phrasing — are disappearing.
Attackers are also using publicly available data from social media, breaches and company websites to make scams feel personal and credible.
Be especially cautious with:
- Requests to change client bank details
- Withdrawal or payment instructions
- Password resets or access changes
- Any “urgent” request via phone, email or messaging apps
Trust is being actively exploited
A growing share of attacks rely on impersonation rather than technical hacking.
Criminals are posing as:
- IT support
- Software vendors
- Clients
- Colleagues
- Financial institutions
And they’re doing it across Teams, phone calls, video meetings and messaging platforms.
The message is simple: a convincing conversation is not proof of identity. Firms need clear, consistent verification processes that don’t rely on recognition or familiarity.
Suppliers are part of your attack surface
Firms are increasingly dependent on third-party providers — and attackers know it.
Your risk surface now includes:
- Platforms and CRMs
- Investment and custody systems
- Cloud and file-sharing tools
- Compliance and HR systems
- AI tools and browser extensions
- Outsourced IT providers
A breach at one supplier can cascade across thousands of firms.
What good looks like:
Advisers should expect suppliers to be able to answer:
- How is client data protected?
- Is multi-factor authentication in place?
- How quickly are vulnerabilities patched?
- How will breaches be communicated?
- What access do they actually have to your data?
Supplier due diligence is operational risk management, not procurement paperwork.
AI tools need clear governance
AI adoption is accelerating inside firms, from note-taking tools to automated workflows. The FCA highlights key risks from data leakage and privacy concerns to inaccurate outputs and overreliance on AI-generated content.
CMORG goes further, recommending that AI systems are treated as privileged applications due to the volume of data they can access.
Client data should never be entered into public AI tools without clear governance in place.
Emerging risks to watch
The FCA also highlights technologies that will shape future risk:
- Agentic AI — systems that can act independently, increasing automation risk if not tightly controlled
- Quantum computing — a long-term threat to current encryption methods
- Synthetic identity fraud — AI-generated identities and documents used to impersonate individuals
- Deepfakes — increasingly realistic voice and video impersonation
Final thoughts
AI isn’t replacing traditional cyber risk — it’s amplifying it.
The firms that succeed will be those that stay grounded in the basics: strong controls, clear processes, and a culture that treats client data as something to actively protect, not passively store.
Want to hear more?
Watch Kate Ancketill on demand as she explores how AI is reshaping the consumer experience of the future, plus earn one hour of CPD.
Watch replay
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.

