A major European wealth tech provider serving hundreds of firms was recently hit by ransomware. Client data, employee records, and encryption keys were dumped online. The incident created a reputational crisis that will take months to resolve.
And honestly? It didn’t have to happen.
Watching stories like this unfold across the industry made one thing clear: whilst wealthtech is evolving fast, security practices aren’t keeping pace. These failures aren’t technical accidents; they’re the result of bad choices. And with 76 % of companies struggling with increased AI-powered attacks at end 2025, this problem is only going to continue to grow next year. Unless firms start asking the right questions.
The Problem with Cutting Corners
Of course, I’m not suggesting that wealth managers don’t understand cybersecurity. In my conversations with firms, security questions always come up – usually quite detailed ones. The challenge is less about any lack of concern, and more about them knowing which questions actually matter.
The problem runs deeper than most realise. Unlike traditional custodians, many wealth tech providers operate under different regulatory frameworks, or sometimes none at all. They’re not subject to the same security audits or operational resilience standards. And enabling access to this sensitive information can be a huge risk.
Think about it this way: would you allow an unregulated entity to hold your clients’ physical assets? Of course not. Yet many firms routinely grant access to equally sensitive financial data to technology providers with minimal regulatory oversight.
Legitimate data providers that manage payment accounts in Europe must obtain an Account Information Service Provider licence under PSD2. It’s not just a tick in a box and a piece of paper. You have to demonstrate robust security controls to regulators like the Bank of Spain. The licensing process is rigorous precisely because regulators understand the risks involved.
From January 2025, DORA – the Digital Operational Resilience Act has raised the bar further, requiring technology providers to meet the same standards of business practice as financial institutions themselves. This eliminates the regulatory grey areas where some providers have operated.
But, there are a number of wealth managers using providers who operate in grey areas. They claim “partnership” with licensed entities or suggest their services fall outside regulatory scope. These arrangements might seem attractive. And they’re often cheaper. But they transfer enormous risk to your firm.
Social Media Intelligence (SOCMINT) Is Transforming Cybersecurity
Billions of users post information every day on Facebook posts and Reddit threads. This international dialogue is a massive intelligence source to cybersecurity professionals. SOCMINT converts this open data into actionable data… Continue reading
Building Your Security Playbook
Sensitive data protection starts with asking the right questions.
Over the years, we’ve developed a checklist we use internally at Flanks every time we evaluate a technology partner – and it’s the same framework we recommend wealth managers use when assessing their own providers, including us.
Regulatory status should always come first. Is the provider regulated by a government authority? Can they provide their licence number? Do they have cybersecurity certifications? Can they demonstrate DORA compliance through incident reporting procedures and regular penetration testing? If they’re operating through a third-party licence, understand exactly why.
Security certifications matter, but not all are created equal. The key is understanding what’s actually been tested and by whom. Look for independent audits that evaluate security controls over time, not just at a single point. And don’t just accept a logo on a website – ask to see the actual audit reports and understand their scope.
But don’t stop at certifications. Dig into the technical architecture. How is data protected? Are encryption keys managed by the provider or do you retain control? Can data be stored on-premise? These questions determine your ability to maintain control over client information.
The authentication model deserves special attention. Many providers still rely on stored client credentials; basically digital keys to your clients’ accounts. This creates an obvious attack vector. Better providers use Power of Attorney arrangements or direct API connections that eliminate credential storage entirely.
Data access controls reveal a provider’s security maturity. Can you configure exactly what data is accessed for each client? Can you exclude personally identifiable information if it’s not needed? Is access truly read-only?
Audit trails often get overlooked but are crucial. You should be able to see exactly what data was accessed, when, and by whom. We log everything: which data was retrieved, the communication between our system and the bank, complete traceability of what happened and when.
What Matters Beyond Technology
However, all the fancy security architecture in the world doesn’t matter if the people running it are cutting corners.
You need to understand who’s actually behind the technology. Staff should be vetted. As they operate in the cloud, they should have documented recovery plans that meet DORA’s requirements for maintaining service continuity after major incidents; not just theoretical backups, but tested procedures. These things happen all the time in cloud environments, so you better know they’ve thought it through.
Take the recent CrowdStrike outage: the wealth tech firms that survived this without any damage done were the ones that had properly segregated everything from the start. It’s like having fire doors in a building – you hope you never need them, but when something goes wrong, you’re really glad they’re there.
Transparency is also very important. Security isn’t about being perfect. Nobody is. Instead, you want to partner with a wealthtech that has the right controls, can detect problems fast, and respond properly when things go wrong. If a provider gets cagey when you ask about their incident response process, that tells you everything you need to know.
Your clients are trusting you with their most sensitive financial information. When you hand that off to a tech provider, you’re essentially extending that trust chain. The cost of getting this wrong, from regulatory fines, lost clients, and destroyed reputation, massively outweighs those potential cost savings of using a cheaper option.
Regulations like DORA are finally catching up to the risks, making security and operational resilience non-negotiable regulatory requirements. As AI is putting more and more pressure on financial institutions’ security setup, it’s high time companies start getting the process right and treat vendor risk as seriously as internal risk.
