In early 2024, a finance employee in Hong Kong sat down to a video call with colleagues he recognized — the CFO, a few senior managers. They authorized a large transfer. The problem was that none of those people were actually on the call. They were deepfakes. The money was gone before anyone figured out what had happened.
That case got some coverage. Then the news cycle moved on. But the people who think about financial security for a living did not move on, because that incident described something the industry had quietly feared for years: the moment AI stopped being a tool that helped defenders and started being a weapon that worked at scale against them.
Asset managers sit in a particularly exposed position. They manage concentrated wealth for clients who trust them with decades of financial planning. They hold wire instructions, portfolio data, research, and credentials that connect directly to custodians and fund administrators. And they tend to run on hybrid infrastructure — some legacy systems that have been there for fifteen years, some modern cloud, and an increasingly thick layer of SaaS and AI tools on top. The attack surface has never been larger. The tools available to attackers have never been better. And a new threat is forming on the horizon that is not hypothetical anymore: quantum computing.
This is not a checklist. It is an attempt to explain what is actually happening, why asset managers are a specific kind of target, and what the next few years are likely to look like if the industry does not stop treating authenticity signals as proof of authorization — and start building processes that hold even when every signal is synthetic.
The old threats did not go away — they got worse
Business email compromise is not a glamorous attack. There is no sophisticated malware, no zero-day, no nation-state attribution. Someone sends a convincing email from a spoofed domain asking for wire instructions to be updated. A person authorizes it. The money moves. The SEC has brought enforcement actions against registered investment advisers for exactly this failure — not because the technology failed, but because the process did not exist to catch it.
For years this worked through volume: send enough convincing emails and some percentage of recipients comply. What has changed is the personalization. Large language models can draft a wire-fraud lure that references a client’s actual portfolio holdings, their adviser’s communication style, a recent market event relevant to their account, and a plausible sense of urgency — all generated in seconds. The attacker does not need to know the target personally. They need to know how to write a prompt.
The same applies to phishing more broadly. Social engineering that once required a skilled operator now scales automatically. A firm that processed ten suspicious emails a week may now need to evaluate a hundred, and the quality of each one is higher than what a human could produce in the same time.
Ransomware followed a similar arc. The early versions were unsophisticated. Modern ransomware operators run businesses with support teams, negotiators, and affiliate programs. They exfiltrate data before encrypting, so the threat is not just operational disruption but client notification and regulatory reporting — exactly the kind of event that the SEC’s amended Regulation S-P (effective December 2025 for large advisers) now mandates a formal written response to. An asset manager hit with ransomware is simultaneously managing a business continuity crisis, a client communication crisis, and a regulatory obligation, on a thirty-day notification clock for affected customer information.
The identity layer is where most breaches actually happen
If you look at how financial firm breaches unfold in practice, very few of them start with a clever zero-day exploit. Most start with identity: a stolen credential, a misconfigured SaaS tenant, a third-party vendor whose access was never scoped properly, an ex-employee whose access was never revoked.
The 2024 pattern involving Snowflake customer tenants illustrated this at scale. Attackers did not break Snowflake. They used stolen workforce credentials — often obtained through earlier credential-stuffing attacks or malware — to access cloud analytics tenants that organizations had not protected with MFA. The identity layer between the corporate IdP and the SaaS platform was the gap. For an asset manager that stores client reporting, fee analytics, or portfolio aggregates in cloud data warehouses, that gap is the same gap.
Asset managers run what is effectively two separate identity systems, and they do not always build them that way. There is the workforce side — employees and contractors authenticating to internal systems, CRM, operations tools, research platforms — and there is the client side — high-net-worth individuals and institutional contacts accessing a portal to view statements, exchange documents, and in some cases initiate servicing requests. These two populations have different threat models, different authentication expectations, and completely different blast radii when something goes wrong. A workforce breach and a client portal takeover are not the same incident. Treating them as the same design problem is the mistake.
Privileged access sits at the center of both. The domain administrator who can modify AD groups. The Salesforce administrator who can export the entire client list. The integration account that connects to the custodian’s API. These accounts exist in almost every firm, and in many cases they share passwords, lack audit trails, and have never been through a formal access review. When an insider threat materializes — an employee leaving with client data, a contractor who retained access after their engagement ended — it almost always runs through a path that existed because someone decided the risk was tolerable. It usually wasn’t.
The separation of duties problem is specific to financial services in a way it is not for most other industries. Wire instructions need to move through distinct request, approval, and execution roles. Research that contains material non-public information cannot reach client-service employees who could act on it improperly. These are not theoretical compliance concerns. They are the operational patterns that, when missing from the identity architecture, create both fraud vectors and regulatory exposure simultaneously.
AI changed the offense more than it changed the defense
There is an industry narrative that AI is going to transform security defenses — better anomaly detection, faster threat response, smarter identity risk scoring. Some of that is real. Adaptive authentication, which uses device signals, location, behavior patterns, and session context to decide when to require additional verification, has gotten meaningfully better as the underlying models improved. User and entity behavior analytics can now surface insider threat patterns that would have required a human analyst weeks to find.
But the honest assessment is that AI improved the offense more, and faster, than it improved the defense. The deepfake case in Hong Kong is not an isolated anomaly. It is the first widely reported instance of a pattern that is becoming cheaper and more accessible every month. The video and audio quality required to impersonate a CFO on a conference call has dropped from something that required a sophisticated nation-state actor to something that requires a moderately skilled attacker with access to publicly available tooling and a few hours of source footage.
What does this mean for an asset manager? It means that any approval workflow that relies on real-time voice or video as an authentication signal is now compromised by default. The phone call to confirm a wire was always supposed to use a verified callback number from a previously established relationship — not the number provided in the instruction itself. Most firms know this policy. Not all of them enforce it consistently. That gap is exactly where synthetic media attacks will land.
The internal threat from AI is subtler but just as significant. Employees across financial firms are using large language models for research, drafting, summarization, and analysis. Many of them are using consumer-grade tools that have no enterprise data controls, no audit trail, and no assurance that input data is not used for training. When a relationship manager pastes a client’s portfolio situation into a chat interface to draft a quarterly letter, that data has left the firm’s control boundary. Whether it lands in a model training corpus, gets stored in a third-party system under a foreign jurisdiction, or simply sits in an unencrypted log file somewhere is entirely out of the firm’s hands. (I wrote about this cross-border dimension separately in the context of Chinese AI providers; the core issue is the same regardless of which provider employees reach for.)
For asset managers, this is not a general data governance problem. It is a specific legal and regulatory problem. Client data subject to Regulation S-P, MNPI governed by securities law, and portfolio information covered by fiduciary duty cannot simply leave the firm via an unapproved chat interface. But the tools are convenient, they are fast, and the policy infrastructure to govern them is still being built at most firms.
The quantum threat is not science fiction anymore
Here is where I want to spend some time, because this is the threat that the financial industry is least prepared for and has the longest lead time to address.
Most of the cryptographic protections the financial industry relies on today — the TLS that secures client portals, the RSA and elliptic-curve algorithms that protect key exchange and digital signatures, the encryption on at-rest data — are based on mathematical problems that are very hard for classical computers to solve. A sufficiently capable quantum computer running Shor’s algorithm can solve those problems efficiently. That changes the security properties of essentially everything built on public-key cryptography.
NIST finalized its first set of post-quantum cryptography standards in 2024. The timeline for cryptographically relevant quantum computers is genuinely uncertain — estimates range from a decade to much longer, and there is real scientific disagreement. But the financial industry faces a problem that makes uncertainty irrelevant in the near term: harvest now, decrypt later.
This is the attack pattern where adversaries collect encrypted data today — intercepting TLS traffic, capturing encrypted backups, acquiring encrypted databases — with the intent of decrypting it once quantum computing reaches the required capability. For most industries this is an abstract risk. For asset managers, who hold long-lived client relationships, multi-decade wealth management records, estate planning documents, and historical trading information, the data being harvested today may still be sensitive in ten or fifteen years. If a nation-state actor is collecting encrypted traffic from financial advisory firms right now, they may not need to decrypt it for a decade. But when they can, they will.
The migration to post-quantum cryptography is not a software update. It requires identifying every place that public-key cryptography is used — TLS termination, certificate authorities, API authentication, VPN infrastructure, signing keys, data encryption at rest, HSMs, vendor integrations — and replacing the underlying algorithms. Some of those systems are legacy. Some are SaaS platforms where the firm has no direct control over the cryptographic implementation. Some are custodian and fund administrator integrations where the migration requires coordination across organizations.
The firms that will be in the best position when this migration becomes urgent are the ones that started the inventory now. Not because they will have completed the migration — no one has — but because they will know where the exposure is. Cryptographic agility, the ability to swap algorithms without architectural changes, is what the industry should be building toward. Most are not there yet.
What trust actually means in this environment
The thread running through all of this — AI-powered social engineering, identity gaps that let breaches propagate, shadow AI that exports client data, quantum harvesting that compromises encrypted archives — is that the concept of trust has eroded at every layer simultaneously.
Email cannot be trusted as an authoritative channel for instructions. Real-time video cannot be trusted as an authentication signal. A credential is not the same as identity. A vendor relationship is not the same as a security boundary. A compliance framework is not the same as operational security.
What remains is architectural trust: controls that do not depend on any single signal being authentic. Dual approval workflows where no single person can authorize a large wire. Out-of-band verification using pre-established numbers that an attacker cannot intercept in the moment. Step-up authentication at the client portal that re-challenges the session before a sensitive action completes, regardless of how long the user has been logged in. Scoped credentials for AI systems that limit what an agent can do even if it is manipulated. Audit trails that answer “who approved this and when” independently of the person being asked.
These are not new ideas. They are implementations of old ideas that the financial industry has always understood in principle but has not always built into systems that run against AI-scale attacks and quantum-capable adversaries. The gap between the policy and the implementation is where the risk lives.
The identity plane is still the right place to start
Given everything above, a reasonable question is: where does a security or engineering team actually begin? The threat landscape is broad and the resources to address it are finite.
Identity is still the right starting point, for a simple reason: most of the attacks described here either exploit an identity failure or are made significantly harder by a strong identity foundation. A wire fraud attack is harder when the approval workflow requires separate roles with auditable authorization. A credential-stuffing attack against a client portal is harder when adaptive MFA escalates on signals that pattern-match the attack. A shadow AI exposure is harder when the IdP policy blocks consumer LLM endpoints on corporate networks. A quantum harvesting attack is harder when the TLS infrastructure begins migrating to hybrid post-quantum cipher suites.
None of this is a complete answer. But if a firm is deciding where to invest the next security cycle, the identity layer — workforce and client, both planes, including machine identity for integrations and AI systems — is where the controls compound. Good identity architecture makes almost every other control more effective, because it enforces who gets to act before the action happens, rather than detecting the damage afterward.
The threat is no longer a person at a keyboard running a script. It is an AI system generating thousands of personalized attacks, potentially powered by a state actor with a quantum roadmap and a file of encrypted data they are patiently waiting to open. The window to build the foundation before that threat fully materializes is open. It will not stay open indefinitely.
The core argument
- AI scaled the offense first — deepfakes, personalized BEC, and shadow AI are operational threats now, not theoretical ones.
- Identity failures drive most breaches — credential gaps, stale access, and weak SaaS tenant controls are the common path.
- Quantum is a now problem, not a future one — harvest-now-decrypt-later means long-lived financial data is already at risk.
- Process is still the backstop — deepfakes defeat video authentication; dual control and out-of-band verification do not.
- Cryptographic agility is the quantum mitigation — start the inventory; migration will take years.
- Identity is where controls compound — workforce and client planes, machine identity, scoped AI credentials, auditable approval chains.
Further reading
- Follow-up — Wire fraud controls that survive deepfakes (operational companion to this post)
- Reference guide — Attack catalog, IAM architecture, frameworks, and decision matrices (detailed technical companion to this post)
- SEC — Amendments to Regulation S-P (May 2024)
- NIST — Post-Quantum Cryptography Standardization
- NIST Cybersecurity Framework
- CISA — Post-Quantum Cryptography FAQ
- SEC enforcement actions (search: investment adviser cybersecurity)
- Prior post — Third-party AI vendor risk and cross-border data exposure
#AssetManagement #CyberSecurity #QuantumComputing #AIThreats #Deepfakes #IAM #FinancialServices #PostQuantumCryptography #InfoSec