See all articles

7 steps to protect your client’s security in the age of AI

Your clients entrust you with their most sensitive financial details. Protecting that information isn’t only a regulatory requirement—it’s essential to maintaining trust and differentiating your advice.

By Dave Dyk

Published Aug. 22, 2025

7 steps to protect your client’s security in the age of AI Aug 22, 2025 12:05:30 PM Your clients entrust you with their most sensitive financial details. Protecting that information isn’t only a regulatory requirement—it’s essential to maintaining trust and differentiating your advice. Below are practical, actionable strategies you can implement—including a few that have been changing, as artificial intelligence has begun to change the threats that clients face. 1. Password managers and multi-factor authentication One of the most important things you can do to protect clients is to ensure that your team always uses password managers and multi-factor authentication. Multi‑factor authentication (MFA) is generally available in custody platforms (including Betterment Advisor Solutions), email, CRM systems, and any platforms that store sensitive data. It’s one of the most effective, low-cost defenses against account compromises. There is even a handy website that allows you to look up whether a particular platform supports this type of authentication. You can pair MFA with a password manager to ensure your team uses long, unique, and complex passwords for every account—without the burden of remembering them all. A password manager reduces the risk of password reuse, which is a common cause of breaches, and makes it easier to update credentials regularly. Because MFA and password managers are so important, it could be good to go beyond just your firm, and advise clients to make use of them as well. 2. Avoid social engineering—and AI-powered phishing Cybercriminals use phishing and other types of social engineering—through texts, emails, and even voice messages that mimic trusted contacts—to bypass controls from financial institutions. As artificial intelligence technology has become widespread, criminal actors are doubling down on the use of social engineering. They can even use AI voice or video deepfakes to mimic clients or custodians calling in with urgent instructions. As Sam Altman recently warned at a Federal Reserve event: “A thing that terrifies me is apparently there are still some financial institutions that will accept a voice print as authentication for you to move a lot of money or do something else.” He emphasized that “AI has fully defeated most of the ways that people authenticate currently – other than passwords.” To address this risk, it’s important for your firm to have multi-layered verification (e.g., callbacks to verified numbers, code words, or secure portal confirmations) rather than just relying on voice authentication. You may also work with your IT provider to schedule ongoing simulated phishing exercises for training purposes. Remind your team: AI makes impersonation more believable than ever. 3. Encrypt data in transit and at rest Ensure that client data is encrypted during storage and transmission. Start by ensuring that your key service providers have good encryption practices. For email communication that involves sensitive information, use secure client portals instead of email attachments. Also work with your IT provider to ensure that mobile devices and computers are fully encrypted (for example, by enabling BitLocker for Windows or FileVault for Mac); this will help ensure that if a device is lost or stolen, the data remains protected. Pairing encrypted storage with secure transmission methods ensures client information is safeguarded at multiple layers. 4. Scrutinize third-party vendors Many firms rely on outside vendors to manage parts of their business. That’s why financial regulators emphasize oversight of third-party security practices: Client data can still be at risk even if it’s stored by someone else. When vetting custodians, software providers, and other partners, confirm they implement robust security measures—encryption, access controls, incident response plans—and document your due diligence. Many businesses now host a Trust Portal (for example, the Betterment Trust Portal) where advisors can securely access independent audit reports, penetration test summaries, and other compliance materials. Leveraging these resources helps you demonstrate compliance with regulatory expectations while ensuring vendors meet your firm’s security standards. 5. Use AI for monitoring and fraud detection AI isn’t just a threat—it’s also a defense. Advisors can also work with their IT provider to deploy AI-enabled cybersecurity controls like endpoint detection and response (EDR) software, which continuously monitors laptops and other devices for suspicious behavior, such as unauthorized access attempts or malware activity. This adds another layer of proactive protection beyond traditional antivirus tools. To protect client accounts from fraud, platforms like ours flag unusual patterns that may indicate identity theft or other types of fraud, helping detect issues more effectively. Prioritize monitoring these alerts to help prevent fraud before your clients are impacted. 6. Stay current with patches and updates One important bit of security advice has not changed with AI: Unpatched software remains a prime vulnerability. You’ll want to ensure that you have effective processes in place across all systems—including operating systems, apps, and even office devices like printers—and enable automatic updates where possible. It’s also important to have a way to identify and measure the effectiveness of this process. Many IT service providers will use a vulnerability management scanner to identify any devices that have out-of-date software with security vulnerabilities. 7. Create an incident response plan No defense is foolproof. Get ahead of it, and prepare a written incident response plan, identifying roles, communication steps, client and regulator notifications, and recovery actions. Be sure to consider common types of incidents such as a compromise of your business email system, or a ransomware attack. One important consideration to respond to ransomware attacks is ensuring that your firm data is backed up in secure, separate locations. Then you’ll want to do a test run. Check your ability to restore backups, and host a tabletop simulation to clarify roles and responsibilities with your firm, IT service provider, and other business partners. Final thoughts In today’s landscape, protecting client data is essential—not optional. The rise of AI presents both risks (like deepfake impersonation) and opportunities (like monitoring tools). By prioritizing security, you will protect your firm and build trust with clients.

Below are practical, actionable strategies you can implement—including a few that have been changing, as artificial intelligence has begun to change the threats that clients face.

1. Password managers and multi-factor authentication

One of the most important things you can do to protect clients is to ensure that your team always uses password managers and multi-factor authentication.

Multi‑factor authentication (MFA) is generally available in custody platforms (including Betterment Advisor Solutions), email, CRM systems, and any platforms that store sensitive data. It’s one of the most effective, low-cost defenses against account compromises. There is even a handy website that allows you to look up whether a particular platform supports this type of authentication.

You can pair MFA with a password manager to ensure your team uses long, unique, and complex passwords for every account—without the burden of remembering them all. A password manager reduces the risk of password reuse, which is a common cause of breaches, and makes it easier to update credentials regularly.

Because MFA and password managers are so important, it could be good to go beyond just your firm, and advise clients to make use of them as well.

2. Avoid social engineering—and AI-powered phishing

Cybercriminals use phishing and other types of social engineering—through texts, emails, and even voice messages that mimic trusted contacts—to bypass controls from financial institutions.

As artificial intelligence technology has become widespread, criminal actors are doubling down on the use of social engineering. They can even use AI voice or video deepfakes to mimic clients or custodians calling in with urgent instructions. As Sam Altman recently warned at a Federal Reserve event:

“A thing that terrifies me is apparently there are still some financial institutions that will accept a voice print as authentication for you to move a lot of money or do something else.”

He emphasized that “AI has fully defeated most of the ways that people authenticate currently – other than passwords.”

To address this risk, it’s important for your firm to have multi-layered verification (e.g., callbacks to verified numbers, code words, or secure portal confirmations) rather than just relying on voice authentication. You may also work with your IT provider to schedule ongoing simulated phishing exercises for training purposes.

Remind your team: AI makes impersonation more believable than ever.

3. Encrypt data in transit and at rest

Ensure that client data is encrypted during storage and transmission.

Start by ensuring that your key service providers have good encryption practices. For email communication that involves sensitive information, use secure client portals instead of email attachments.

Also work with your IT provider to ensure that mobile devices and computers are fully encrypted (for example, by enabling BitLocker for Windows or FileVault for Mac); this will help ensure that if a device is lost or stolen, the data remains protected. Pairing encrypted storage with secure transmission methods ensures client information is safeguarded at multiple layers.

4. Scrutinize third-party vendors

Many firms rely on outside vendors to manage parts of their business. That’s why financial regulators emphasize oversight of third-party security practices: Client data can still be at risk even if it’s stored by someone else. When vetting custodians, software providers, and other partners, confirm they implement robust security measures—encryption, access controls, incident response plans—and document your due diligence.

Many businesses now host a Trust Portal (for example, the Betterment Trust Portal) where advisors can securely access independent audit reports, penetration test summaries, and other compliance materials. Leveraging these resources helps you demonstrate compliance with regulatory expectations while ensuring vendors meet your firm’s security standards.

5. Use AI for monitoring and fraud detection

AI isn’t just a threat—it’s also a defense. Advisors can also work with their IT provider to deploy AI-enabled cybersecurity controls like endpoint detection and response (EDR) software, which continuously monitors laptops and other devices for suspicious behavior, such as unauthorized access attempts or malware activity. This adds another layer of proactive protection beyond traditional antivirus tools.

To protect client accounts from fraud, platforms like ours flag unusual patterns that may indicate identity theft or other types of fraud, helping detect issues more effectively. Prioritize monitoring these alerts to help prevent fraud before your clients are impacted.

6. Stay current with patches and updates

One important bit of security advice has not changed with AI: Unpatched software remains a prime vulnerability. You’ll want to ensure that you have effective processes in place across all systems—including operating systems, apps, and even office devices like printers—and enable automatic updates where possible.

It’s also important to have a way to identify and measure the effectiveness of this process. Many IT service providers will use a vulnerability management scanner to identify any devices that have out-of-date software with security vulnerabilities.

7. Create an incident response plan

No defense is foolproof. Get ahead of it, and prepare a written incident response plan, identifying roles, communication steps, client and regulator notifications, and recovery actions. Be sure to consider common types of incidents such as a compromise of your business email system, or a ransomware attack. One important consideration to respond to ransomware attacks is ensuring that your firm data is backed up in secure, separate locations.

Then you’ll want to do a test run. Check your ability to restore backups, and host a tabletop simulation to clarify roles and responsibilities with your firm, IT service provider, and other business partners.

Final thoughts

In today’s landscape, protecting client data is essential—not optional. The rise of AI presents both risks (like deepfake impersonation) and opportunities (like monitoring tools).

By prioritizing security, you will protect your firm and build trust with clients.