Every year, the Verizon Data Breach Investigations Report (DBIR) provides one of the clearest pictures of how cybercriminals are attacking organisations around the world.
For financial advisers, the 2026 report contains an important message: attackers are moving faster, becoming more sophisticated, and increasingly targeting the kinds of systems and information advisers rely on every day.
The report analysed more than 31,000 security incidents and over 22,000 confirmed breaches across 145 countries. The findings show that protecting client data now requires much more than simply being aware of phishing emails. Source: Cyber Insurance News.
Security risk has shifted from passwords to system vulnerabilities
One of the biggest shifts in this year’s report is that software vulnerabilities are now the number one-way attackers break into organisations, overtaking stolen credentials for the first time in the DBIR’s history. Verizon found that exploiting vulnerabilities accounted for 31% of breaches, compared to 13% involving stolen credentials. Source: Verizon.
For advisers, this is a reminder that cyber security isn’t only about strong passwords — it’s also about keeping systems, browsers, and devices updated. Attackers are increasingly targeting software that hasn’t been updated because they know many organisations delay updates. Verizon reported that organisations took a median of 43 days to remediate vulnerabilities, while attackers can now weaponise flaws in hours using AI-assisted techniques. Source: TechTarget, page 6.
What advisers should do:
- Keep laptops, phones, browsers, and applications updated
- Remove unused software and browser extensions
- Make sure third-party IT providers keep their systems updated with the latest security fixes and software updates.
- Use reputable vendors with strong security processes
Social hacking is moving beyond email
The report highlights that attackers are increasingly shifting toward mobile phone-based phishing, voice calls, and text message scams because users are becoming better at spotting traditional phishing emails. Verizon found that mobile phone attacks achieved a 40% higher success rate than email phishing. Source: Verizon, page 12.
This is particularly important for financial advisers, where attackers may impersonate clients over the phone or use information from previous breaches to sound convincing. A scammer doesn’t necessarily need technical hacking skills if they can persuade someone to reset a password, remove security controls such as MFA, or change account details over a call.
What advisers should do:
- Apply consistent client verification checks across the entire team
- Never reset passwords or security details without proper validation (e.g. by contacting the client using their known mobile number).
- Be cautious of urgent or emotional requests by phone or MS Teams/Zoom etc.
- Train staff to recognise social engineering, not just phishing emails
Third-party cyber-crime stats are growing
One of the most concerning findings is the rise in third-party breaches, which increased by 60% year-over-year and were involved in 48% of breaches. Source: TechTarget, page 14.
For advisers, this matters because your cyber security is only as strong as the suppliers and platforms you use — including CRMs, investment platforms, file-sharing tools, compliance software, and outsourced IT providers. Even if your own security is strong, a compromise at a supplier could expose client data or disrupt services.
What advisers should do:
- Assess suppliers’ security standards before onboarding
- Review who has access to your client data
- Limit integrations and unnecessary third-party applications
- Ensure MFA and least privilege access are enforced for vendors
Phishing in financial services remains a prime target
The report specifically highlights the financial and insurance sector as a “favourite among attackers” because the industry’s core business involves money. Verizon notes that the top threats affecting the sector are:
- Ransomware
- Phishing
- Exploitation of vulnerabilities
- Stolen credentials
- Human error and third-party exposure
The report also found that the human element was involved in 65% of breaches affecting the financial sector.
This reinforces an important point: technology alone won’t protect firms. Staff awareness, strong processes, and consistent verification remain critical.
AI and cyber attacks
Another major theme throughout the report is the growing impact of AI on cyber attacks. Verizon warns that AI is helping attackers identify vulnerabilities and scale attacks faster than ever before. The report also highlights the rise of “shadow AI” — employees using unapproved AI tools with company information — which is now one of the leading causes of accidental data leakage. Source: Verizon, page 8.
For advisers handling confidential financial information, this presents a real concern. Pasting client data into public AI tools may unintentionally expose sensitive information outside the organisation.
What advisers should do:
- Only use company approved AI tools
- Never input confidential client information into public AI platforms
- Review permissions granted to AI browser tools and plugins
- Create clear policies around AI usage
Final thoughts
The 2026 DBIR reinforces a simple but important message: attackers are evolving, but many breaches still come back to the fundamentals — delayed software updates, weak verification processes, excessive access, and lack of visibility.
For financial advisers, protecting client data means thinking beyond phishing emails alone. It means securing devices, reviewing suppliers, challenging unusual requests, keeping systems updated, and recognising that cyber-attacks are becoming more personal, conversational, and AI-assisted.
Ultimately, the firms that stay safest aren’t necessarily the most technical — they’re the ones that stay aware, apply strong fundamentals consistently, and build a culture where protecting client information is everyone’s responsibility.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
