Cyber & Technology Risk and the Family Office

It’s time to act

How is your cyber preparedness? Do you have the right controls in place to protect your assets? Is your principal confident in navigating the increasingly complex digital space? The smallest breach can take a castle down. But you’re not alone.

Cybercrime has emerged as one of the greatest threats to family offices and the ultra-high-net-worth individuals they represent. This comes at a time when larger organisations are strengthening their digital defences in response to greater industry pressures and regulatory oversight, leaving smaller, privately owned businesses and family offices exposed as likely targets for cyber attackers.

Only recently, the UK Cabinet Office warned of an increased threat from ideologically motivated Russian hacker groups and urged all businesses to strengthen their cyber defences. As the threat continues to grow, being able to demonstrate that your business is resilient and knows how to respond to and recover from a cyber breach or a major IT failure is ever more important.¹

In today's interconnected digital landscape, cyber criminals employ various tactics to exploit vulnerabilities in a company’s security controls and cause harm. One major concern is their ability to gain unauthorized access to personal data, including bank account details and investment portfolios, enabling them to commit identity theft and steal substantial sums. Moreover, data breaches, email account compromises, and malware downloads can disrupt business operations, leading to potential extortion and financial losses. Another peril lies in the reputational risk posed by cyber criminals who use sensitive information, such as health information, religious or political views, to tarnish the principal’s image or exert as ransom leverage on the family. Additionally, these criminals may exploit information obtained from social media platforms to orchestrate smear campaigns and threaten family members’ personal safety. Safeguarding against these threats demands robust cybersecurity measures and a proactive approach to ensure the protection of assets, data, and reputation.

According to a recent study, more than one-third of European family offices have been subject to a cybersecurity attack. Despite their exposure, roughly a quarter of family offices do not have appropriate measures in place to protect their business against cyber threats and ensure the security of sensitive data. They often have informal IT governance structures, and their employees lack basic awareness of cyber and IT risks. Moreover, interviews with family office executives suggest that many believe that cyber criminals have “bigger fish to fry” and therefore family offices are not targets. With the number of scams, phishing campaigns and cyber-attacks projected to increase in the coming years, this proves a risky stance to take.²

Like other businesses, family offices increasingly rely on virtual meetings, cloud-based data storage and integrated accounting systems in their day-to-day operations. While enthusiastically adopting the latest technology, family offices’ IT controls tend to be much less stringent than most organisations and they are often ill-prepared to deal with potential breaches or major service disruption. Many businesses do not have incident response and recovery plans in place or outsource their IT services to third party providers without understanding potential vulnerabilities in their systems and the risks associated with weak security controls.³

Large companies and financial institutions have long been investing in managing their operational risks and many dedicate entire divisions towards such efforts. Family offices often find it challenging to strike a balance between having a robust IT security control environment and maintaining the practicalities of working in a small, trusted team with less infrastructure and informal processes compared to larger organisations. Additionally, without facing the same regulatory scrutiny that corporate entities do, it can be difficult for management of family offices to gain their principals’ buy in to invest in additional controls. Unsurprisingly, criminals thrive from this way of thinking by exploiting lax attitudes towards security and the control gaps that exist as a result. Achieving the right balance requires a risk-based approach, proportionate security controls, pragmatic IT solutions and employee risk-awareness. By implementing these measures, family offices will be able to manage cyber security risks more effectively without sacrificing efficiency and flexibility.

It is crucial for management and employees of family offices to have a basic understanding of the tactics that cybercriminals use to infiltrate individuals at work, home, and in transit. Such awareness can help identify suspicious activity and respond effectively to incidents. Moreover, family offices should consider developing strong resilience and recovery capabilities which could include risk assessments, strategy development, employee training and awareness, third-party risk management, and incident response planning such as adequate backups and incident response rehearsals. This will all help develop the right ‘security muscles’ to effectively respond to and recover from cyber breaches.  By holistically embracing effective risk management procedures, family offices will be able to develop stronger relationships with their clients whilst protecting themselves and creating additional opportunities for future growth. ⁵

¹ UK warns of attacks from new ‘Wagner-like’ Russian cyber hackers | Financial Times (ft.com) (Accessed: 15^th May 2023).

² The European Family Office report 2021 (no date) | Campden Wealth (Accessed: 15^th May 2023).

³ Cyber threats to family offices (2019) | Deloitte United Kingdom. (Accessed: 15^th May 2023).

⁴ Surveying the risk and threat landscape to family offices (n.d.) | Dentons (Accessed: March 2, 2023).

⁵ Family offices are growing and may benefit from reviewing their risk management processes (2020) | Deloitte United States (Accessed: March 2, 2023).