Family offices are ripe targets for cybercriminals; here's how to protect them

These days all financial advisory firms, regardless of type or size, face some level of cybersecurity risk. But family offices, which exist to serve the needs of ultrahigh net worth families, present special challenges and considerations when it comes to cybersecurity and executive protection. (Just think of the Roy family on the hit HBO TV series "Succession," where family dysfunction regularly bleeds into business, causing the boundaries between personal and professional to erode.) 

Here are some unique features of family offices, the cybersecurity threats these firms face and suggestions on how to meet and effectively repel these threats.

Scant security budgets

Limited resources can be a hurdle when it comes to implementing strong cybersecurity protocols. Family offices might not have the same assets as large enterprises to invest in sophisticated security infrastructure or dedicated security teams. 

Even if they do have the money, sometimes they simply aren't allocating it to security measures. According to an eye-opening statistic in the 2022 North America Family Office Report, family offices on average hold about $2 billion in assets but spend only $48,000 on cybersecurity. 

READ MORE: 4 key family office trends to watch

In a family office, long-term employees tend to be deeply trusted due to their established relationships and understanding of the family's unique needs, values and dynamics. However, sophisticated cybersecurity measures often require external security partners — and trusting these external experts can be difficult since they haven't built the same level of rapport and trust with family members and staff. Clear communication, strict confidentiality agreements and oversight by trusted long-term employees can help enhance security without compromising foundational familial trust.

A lack of specialized expertise or dedicated personnel solely focused on cybersecurity in family offices can also be due to a resistance to change from family members or employees accustomed to traditional methods or hesitant to adopt new technologies or security protocols. This is a challenge for many established firms but can be extra difficult when you're, say, trying to convince an older relative to do something new and different. According to 2023's North America Family Office Report, 40% of family offices said they viewed the failure to upgrade technology as a potential concern in relation to their cybersecurity risk.

READ MORE: ​​How a cyber spring cleaning can protect data and build client trust

Add to these challenges the fact that implementing security measures in a scalable manner in a way that accommodates wealth management strategies and evolving threats without impeding operations can be even harder for family offices, which are typically smaller organizations in which employees and family members wear multiple hats.

Cyber-threat rundown

Given the wealth and sensitive information they manage, family offices are particularly attractive targets for cyber threats like phishing, ransomware and social engineering attacks. 

According to the North America Family Office Report 2023, 61% of responding family offices cited data breaches and cybersecurity incidents as a significant concern. Another report from UBS found that 37% of family offices have been targeted at least once. 

In addition, these operations potentially face:

Physical security concerns. Because individuals connected with family offices can be high-profile, high-wealth individuals who may be publicly involved with contentious social or political issues, they may face security threats to property — or even to themselves or their families.

READ MORE: How advisors can handle UHNW family crises: Morgan Stanley panel

Insider threats. The close-knit nature of family offices means that the risk of insider threats, whether it be unintentional (a family member with inadequate cyber hygiene practices could fall victim to a phishing scheme that puts the whole company at risk, for example) or intentional, (embezzlement is a common risk).

Cyber-kidnapping. Private family offices may be targets of cyber kidnapping due to their management of substantial wealth and sensitive financial information, making them attractive to ransom-seeking attackers.

The best defenses

What essentials should any family office's cybersecurity program include? 

The answer is a balanced mix of technology and processes, including the following components: 

• Robust firewalls and network security solutions to monitor and control all network traffic.
• Regularly updated antivirus software on all devices to protect against malware, viruses and other threats. 
• Frequent backups of critical data and encryption for sensitive information.
• Strong authentication methods such as multifactor authentication and role-based access controls. 
• Ongoing cybersecurity training to employees and family members, emphasizing the importance of secure practices and their role in maintaining a secure environment. This should include helping them understand how their personal use of the internet and social media can impact the business.  

In family offices, resistance to adopting these cybersecurity protocols often divides along generational lines. Younger employees may be more accepting of new technology, for instance, whereas older members may take an "if it ain't broke, don't fix it" approach. While bringing in external security resources may be met with initial resistance, I have found that expert, impartial third-parties can help create a stronger, more robust and better structured cybersecurity approach.