5.7 million records. That's how many individual client files allegedly spilled out of Mercer Advisors after a ShinyHunters attack in February 2026. Mercer manages $96 billion in assets for some of the wealthiest families in America. Their refusal to pay the ransom allegedly led ShinyHunters to dump the data on the dark web. Two class-action lawsuits followed within two weeks.
Mercer was not alone. Hightower disclosed a breach affecting 131,483 people. Beacon Pointe confirmed a hack. Pathstone Family Office, managing roughly $170 billion in assets, was targeted the same week. According to reporting by InvestmentNews and Cybernews, the wave of attacks against registered investment advisers (RIAs) spread across more than ten firms in the first half of 2026, including Edelman Financial Engines, EP Wealth, Cetera, and Ameriprise. RIA cybersecurity 2026 has become the defining compliance story in wealth management.
Ten firms. One dominant attack group. One shared failure. No multi-factor authentication.
The Attack Pattern Is Deceptively Simple
ShinyHunters does not rely on zero-day exploits or nation-state sophistication. Their documented general pattern is built around credential theft: call firm employees impersonating internal IT support, use AI voice platforms to sound credible, convince someone to confirm credentials or reset a password, then log in. No malware needed. No network scanning. Just a phone call and an unlocked door.
MFA closes that door. With MFA in place, stolen credentials are nearly worthless. The attacker needs a second factor, typically a code on the victim's phone, that they cannot manufacture from a social engineering call alone. The class-action complaints against Mercer allege MFA was absent on systems containing millions of client records.
The FTC Safeguards Rule, as amended in 2023, explicitly requires multi-factor authentication for any employee accessing customer information. Not recommends. Requires. Civil penalties for violations can reach $51,744 per violation per day. A firm managing $96 billion in client wealth, operating without MFA in 2026, was not just unlucky. It was non-compliant.
Why RIAs Are Different, and Why That Matters
Most small businesses that get breached lose payment data or email records. Investment advisers lose something worse: the full financial, legal, and personal identity picture of their clients.
The Mercer breach allegedly exposed Social Security numbers, legal documents, estate planning files, and emergency contact details. Combine those with investment holdings data that RIAs routinely store, and you have everything an identity thief, a fraudster, or a targeted social engineer could want. These clients cannot change their Social Security numbers. The damage follows them for decades.
That concentrated sensitivity is exactly why ShinyHunters and similar groups target this sector. The data is valuable. Security is often underfunded relative to AUM. The litigation and regulatory exposure for victims is enormous, which creates pressure to pay. Except paying does not guarantee data deletion. It removes the immediate threat of publication, until the next demand.
The Regulatory Landscape RIAs Must Navigate
RIAs operating under SEC oversight face layered cybersecurity obligations that have grown stricter in recent years.
Amended Regulation S-P requires client notification within 30 days of discovering a breach involving sensitive customer information. The FTC Safeguards Rule requires MFA, regular penetration testing, and documented vendor oversight, with civil penalties for violations up to $51,744 per violation per day. SEC examination programs have consistently flagged cybersecurity as a priority, and firms that suffer a significant breach should expect an SEC review of their written security program.
The class-action complaints against Mercer cite failures across multiple frameworks: no MFA, no regular audits, inadequate credential protection. Regulators and plaintiffs alike will ask the same questions when reviewing a breached firm's program.
Here is the contrarian point worth sitting with: full compliance with all applicable frameworks does not guarantee you avoid an attack. Motivated groups like ShinyHunters will find new angles. What compliance does is dramatically narrow the attack surface, establish that you behaved reasonably, and protect you in the litigation and regulatory scrutiny that follows a breach. The goal is not perfection. It's demonstrable, documented due diligence.
What This Means for Smaller RIAs
Mercer, Hightower, and Pathstone have legal teams and compliance departments. They can absorb class-action lawsuits, even painful ones. A small wealth management firm with five advisers and $500 million in AUM likely cannot.
Yet small RIAs hold the same client data, face the same threats, and carry the same regulatory obligations. ShinyHunters does not screen targets by AUM. Firms that look like easy targets get attacked regardless of size.
Multi-factor authentication should be active on every system that touches client data: email, CRM, portfolio management software, and remote access tools. For most small firms, this takes days to implement, not months.
Credential monitoring services flag when employee passwords appear in dark web dumps. Knowing before the attacker logs in is the difference between a near-miss and a headline.
A written incident response plan does not need to be 80 pages. It needs to answer: who calls whom when you discover a breach, when do you notify clients, who handles regulatory reporting, and who are your outside counsel and forensics contacts. Test it once a year.
Annual penetration testing and vulnerability scanning, conducted by a qualified third party, identify gaps before attackers find them. The FTC Safeguards Rule requires it. The cost of the test is a fraction of the cost of a breach.
Sound Familiar?
If your firm has been watching the Mercer and Hightower headlines and thinking "that won't happen to us," now is the time to test that assumption with an actual security assessment, not a gut check.
At Mytec, we work with financial services businesses in the Midwest that want to get ahead of these risks before they become headlines. A free assessment covers your current MFA status, monitoring, backups, and incident response plan, and tells you exactly where you stand before an attacker or an examiner does it for you.
Ready to find out where your gaps are? Reach out to schedule your free security assessment today.