Cybersecurity is becoming an increasingly complex — and important — issue for family offices. More than a third) of North American family offices have reported experiencing a cyberattack. And technological advances, including AI, are helping both family offices—and the hackers who would attack them—become more sophisticated.
“There are a lot of different reasons hackers are hacking, but most of it is for money,” says Annmarie Giblin, partner at Tarter Krinsky & Drogin LLP. She works in three areas: helping family offices put in place proactive cybersecurity measures, helping them manage incidents when they occur, and working on privacy compliance when required.
The potential for financial gain, for example, is behind one increasing threat: virtual kidnapping. It’s a less risky version of the physical kidnapping that has long been a concern for high-net-worth families. Technology continues to make virtual threats easier: A few years ago, scammers started spoofing cell phone numbers, making it appear that a call was coming from a loved one. Now, AI is enabling fake calls that mimic people’s voices — which may be made easier if videos of family members exist online.
“With deep fakes, it’s very easy to trick someone,” Giblin says. “It can get to the heart of your physical safety and your family’s safety.”
Family office vulnerabilities
Gilbin cites several reasons that family offices are particularly susceptible to cyberattacks:
- Increased online visibility. In past decades, many wealthy families kept a relatively low profile, so there was little publicly available information that would let criminals know who they were. But today’s youth have grown up with social media, and it’s normal for them to post accounts of their day-to-day activities. When those activities include expensive vacations or rides on private jets, for example, it can help identify the entire family.
“The younger members of the family are outing families that have kept a really tight lid on their wealth for a long period of time,” Giblin says. “They’re out there showing their wealth in ways that their parents and grandparents never would have. It really makes them targets because they have money.”
- Blurred boundaries between business and family. The frequent overlaps between families’ businesses (including the family office) and their personal lives can create security gaps. There could be employees working in the home, for example. New “smart” appliances in the home can be hacked, giving information about the household. The business’ IT department may have a state-of-the-art firewall and great team, but family members may also sign on at home, using a less secure network.
- Lack of regulation. One of the reasons families like family offices is that they are comparatively easy to keep private. But the lack of regulatory structure can also make them vulnerable to cyberattacks.
“This has allowed complacency,” Giblin says. Without regulations mandating cybersecurity precautions, they have for some families fallen into the “nice to have but not necessary” category.
Looking for solutions
Family offices are becoming increasingly sophisticated in their search for cybersecurity solutions.
“Early on, when cybersecurity started to become an issue that family offices were aware of, a lot of them were looking for a quick fix — ‘We’re going to find a technology solution to this problem’ — only to realize over time that that was a bit naive,” says Alexandre Monnier, global head of family office advisory for Citi Private Bank. A family office may have best-of-breed hardware but still have employees or family members who don’t regularly change their passwords, for example. “It’s like securing the door to your house but leaving the windows open.”
Citi’s Global Family Office Survey Insights 2023 found that family offices are working on three avenues to improve cybersecurity: technology, processes and people.
“You’re seeing a desire to be more comprehensive, understanding that it’s a complex, systemic issue — it’s not a quick fix with a technology upgrade,” Monnier says.
Citi asked what actions family offices were taking to protect against cyberattacks. It found that a majority are training staff (61%), establishing security policies and procedures (53%), and upgrading legacy systems (52%). Near majorities are conducting cybersecurity risk assessments (49%) and educating family members (45%).
“They are pulling all the right levers,” Monnier said. “They are enhancing technology but also processes, and they are training their people.”
Training people turns out to be an especially important part of a cybersecurity plan. According to Verizon’s 2023 Data Breach Investigations Report, nearly three-quarters of cybersecurity breaches involved a human element such as social engineering — tactics that manipulate or deceive people into giving up passwords or other data. Training both professional staff and family members how to keep their personal data secure is essential.
“The weak point is sometimes the family itself,” Monnier says. “A family member will email the family office asking for a wire using a Gmail account.”
The Citi survey found one tool that remains underused: cybersecurity insurance, which only 19% of respondents said they had purchased.
“One of the best things you can do for a cyber incident is have cyber insurance,” Giblin says.
An insurance company can not only compensate you for losses — they can help you respond to an attack when it happens.
“I think many family offices are not aware of cybersecurity insurance options: the fact that it’s available, what you can get, who to get it from,” Monnier says. “I think there’s still a need for that awareness to mature. That number is likely to trend up.”
