Q4 2025 closed with professional services firms firmly in the crosshairs. Financial services led all sectors in reported breaches with 739 confirmed incidents, and professional services wasn't far behind at 478. The pattern isn't random — attackers aren't breaking down your front door. They're walking through your vendors'. Third-party vendor compromise was the defining attack vector of the quarter, with the Verizon 2025 Data Breach Investigations Report documenting a rate double that of the prior year. If you don't know which vendors touch your client data, you don't know your actual exposure.
"Attackers aren't breaking down your front door. They're walking through your vendors'."
Third-party vendor attacks were the defining fault line of Q4 2025. The Verizon 2025 Data Breach Investigations Report found that 30% of all breaches involved a third party — double the prior year's figure. The model is consistent: compromise a trusted vendor, then use that relationship as a bridge into the actual target. Your firm never gets touched directly. Your client data walks out through your software vendor's back door.
Every compliance tool, document management platform, and e-signature vendor you use is a potential door into your clients' data. Do you know which of your vendors had an incident this quarter? Most firms don't. This is exactly what subprocessor mapping addresses.
The cybercrime group ShinyHunters ran a coordinated campaign against wealth management firms in Q4, hitting Mercer Advisors, Beacon Pointe Advisors, and Pathstone Family Office in rapid succession. Mercer refused to pay ransom on 5.7 million client records — including Social Security numbers and personal identifiers. The group published the stolen data. These are not opportunistic attacks. Threat actors specifically target firms holding HNW client data because those records command premium prices on criminal markets.
If your CRM, portfolio management software, or client portal hasn't been audited for subprocessor exposure, you're operating blind. HNW client data is a high-value, high-liquidity asset in criminal markets. Your clients chose you for discretion. A breach changes that relationship permanently.
The New York AG settled with accounting firm Wojeski & Company after the firm took over a year to notify breach victims despite clear legal obligations to act promptly. A phishing email triggered the initial ransomware attack. Client Social Security numbers were stored unencrypted. Victims weren't notified until November 2024 — eighteen months later. The firm paid $60,000 in penalties and was required to overhaul its security practices entirely.
The fine isn't the real number. Client notifications, mandatory credit monitoring, reputational fallout, and class action exposure — that's where small firms get buried. Notification delay is its own separate liability event. Your engagement letter and incident response plan need to address this before you have an incident, not after.
In December, 700Credit — a credit data provider used by dealerships, financial institutions, and lending partners — confirmed a breach affecting at least 5.6 million individuals, exposing Social Security numbers and financial account data across every downstream partner connected to its platform. The breach didn't originate at a bank or advisory firm. It originated at a vendor those institutions trusted with access to their data ecosystem.
You may not use 700Credit. But you probably use something structurally identical. Aggregator-style vendors sit at the center of massive data flows and most professional services firms have no idea these companies exist in their vendor chain — let alone that they're actively processing client data. This is the subprocessor problem in its purest form.
In October 2025, the New York Department of Financial Services issued an Industry Letter clarifying how covered entities must manage cybersecurity risks from third-party service providers under its Cybersecurity Regulation (23 NYCRR Part 500), with additional amendments taking effect November 1, 2025. If you work with New York-based financial clients — or if you are a vendor to a covered entity — this directly implicates your vendor relationship documentation and security controls.
Bottom line: Your clients' regulators are now asking harder questions about their vendors. That means they will start asking harder questions about you.
The throughline of Q4 2025 isn't sophisticated hacking. It's misconfigured applications, weak third-party controls, and limited visibility into where sensitive data actually lives. None of those require enterprise security budgets to fix. They're systems design problems — and they're addressable at the small firm level with the right audit and remediation process.
If you don't know where your data goes after it leaves your office, this quarter should concern you.