As a financial adviser, you rely on email every day to manage relationships, send reports, and respond to client questions.
It’s fast, familiar, and easy to use - but it’s also one of the most common causes of data breaches in financial services.
Nearly a third of all reported breaches in the UK involve email.
And it's not just cyber attacks.
Simple mistakes - like using BCC instead of CC, or attaching the wrong document - are behind many of the incidents reported to the ICO.
For smaller firms, even a single misstep can lead to lost trust, reputational damage, or regulatory scrutiny.
But with the right approach, email can be a secure and reliable tool.
Let’s look at why email poses a risk, what the rules say, and how to protect your firm and your clients.
The FCA’s Principles for Businesses include obligations to protect client data and act in your clients’ best interests.
Under the Consumer Duty, firms must make sure communications are clear, appropriate, and help avoid foreseeable harm - including harm caused by unsecured email.
The UK GDPR requires “appropriate technical and organisational measures” to protect personal data.
The ICO highlights encryption as a key control when sharing data by email. If a breach occurs and the data wasn’t protected, you could face a fine or formal investigation.
More than 1 in 5 data breaches reported to the ICO involve email mistakes - most commonly misaddressed messages or failure to use BCC.
The guidance urges firms to use encryption, train staff on safe email use, and consider tools that allow emails to be revoked after sending.
If you provide or discuss investment advice via email, those communications need to be archived.
MiFID II requires firms to retain client-related electronic communications for at least five years in a secure, searchable format.
Frameworks like ISO 27001 or U.S. regulations (such as FINRA and SEC rules) recommend encryption, data retention, and access controls as standard practice.
While not legally required in the UK, they offer a strong benchmark for security maturity - particularly if you have clients or partners abroad.
Complex cyber threats get the headlines - but most email breaches start with a simple mistake.
Phishing emails are designed to trick you into sharing credentials, downloading malware, or transferring funds.
They often impersonate trusted contacts, including clients, providers, or even regulators like the FCA.
"I once got an email that looked like it came from our platform provider, asking me to log in to review a client’s fund switch.
Everything looked normal - branding, language, even the footer.
I nearly clicked before realising the URL was wrong."
Anonymous IFA
Attackers may use spoofing to fake your email domain and send messages that appear to come from your firm.
Without protections like SPF, DKIM, and DMARC, your emails are easier to impersonate.
"A client called to ask why I’d emailed them to update my bank details. I hadn’t.
Someone had faked my email address and sent them new payment instructions."
Anonymous IFA
Data leakage can happen when sensitive files are forwarded to personal inboxes, accessed on unsecured devices, or sent without encryption.
"I sent a valuation report to my own Gmail account to print from home. Later, I realised it included full client details.
It wasn’t a hack - just a shortcut that put their data at risk."
Anonymous IFA
The most common email incidents reported to the ICO are caused by human error - such as sending to the wrong address or forgetting to use BCC.
"I once attached the wrong PDF to an email - it had another client’s pension summary. I spotted it too late to recall the message."
Anonymous IFA
Good email security isn’t just about locking everything down - it’s about making the right safeguards feel seamless.
Encryption ensures that only the intended recipient can read your message - even if it’s intercepted or misdelivered.
It turns an email from a virtual postcard into a sealed envelope.
"We added a secure email option to our Outlook accounts. Now, anything containing client data gets sent via a portal - it’s a simple extra click, but it means I don’t worry about misfires or interception."
Anonymous IFA
Secure email gateways (SEGs) act like security guards for your communications - filtering threats before they reach you and scanning outbound messages before they leave.
On the inbound side, they block phishing, malware, and suspicious links. On the outbound side, they help enforce security by scanning for sensitive information, triggering encryption, and revoking access where needed.
"Since we enabled outbound scanning, the system started flagging any email with words like ‘payslip’ or ‘confidential’.
It’s a quiet safety net - I don’t always notice it working, but I’d miss it if it wasn’t there."
Anonymous IFA
These tools help prevent spoofing by verifying which systems are allowed to send emails from your domain and ensuring the content hasn’t been tampered with.
See the NCSC guidance for setup recommendations.
"After we set up DMARC, we stopped getting calls from clients saying they’d received strange emails from us.
It also gave us insight into who was trying to spoof our domain."
Anonymous IFA
Technology is essential - but it’s how you use it that makes the biggest difference.
Take a moment to check who you’re sending to.
Many breaches come from simple human error - the wrong recipient, the wrong attachment, or a visible BCC list.
Use encryption or a secure portal for anything involving personal data or financial documents.
Phishing emails often look legitimate.
Pause, check, and confirm through a separate channel before acting.
Choose long, unique passwords and enable multi-factor authentication to protect your email account.
Only include what's necessary.
Avoid attaching full reports when a simple update will do.
If something feels off, or you make a mistake, raise it early. You can often fix it before it becomes a breach.
You don’t need to be a tech expert to choose secure email - but you do need to know what to look for.
Platforms like Microsoft 365 and Gmail offer simple encryption options for everyday use.
Great for sharing documents securely - recipients log in to view your message.
Less elegant but still useful - password-protected PDFs sent via email, with the password shared separately.
Automate encryption based on content, file types, or keywords to remove the guesswork.
Revoke access to a message after sending or set expiry windows for extra control.
No - only messages containing personal or sensitive information.
No. BCC hides addresses but doesn’t protect the message contents.
Act fast. Revoke access, contact the unintended recipient, and assess if a report is needed under UK GDPR.
Five years is the minimum under MiFID II. Use a secure archive.
Check what your email platform already offers. If needed, look into secure portals or add-ons that work with Outlook or Gmail.
ICO Email Security Guidance, ICO, 2023
ICO Data Breach Statistics, Egress, 2022
FCA Consumer Duty Communications Guide, FCA, 2022
UK GDPR and Data Protection Act 2018, UK Government, 2018
MiFID II Recordkeeping Rules, FCA Handbook, 2023
FINRA & SEC Email Retention Requirements, SEC, 2022
Microsoft 365 Email Encryption Documentation, Microsoft, 2023
NCSC DMARC and Email Authentication Guidance, NCSC, 2023
IBM Cost of a Data Breach Report (2024), IBM, 2023
Egress Blog: Misaddressed Emails and Human Error, Egress, 2023
FCA Phishing Scam Warning (2025), Professional Adviser, 2025
Sabrina McClune, 19.06.24
Sam Kendall, 13.06.25