What are family offices concerned about this year? For 22% of family offices, cybersecurity is a top risk, according to the “Family Office Cybersecurity Report, 2024,” part of the Family Office Insights Series – Global Edition from Deloitte Private.
The report found that 43% of family offices have been the victim of a cyberattack in the past one to two years. Of these family offices, one-third suffered damages — such as the loss of confidential data or a financial loss — as a result of the attack.
Phishing attacks are the most common, with 93% of victims reporting them. Over one-third of victims (35%) reported malware attacks.
“Getting a phishing email is often the start for bad actors of a ransomware campaign, so linking those two becomes a really important educational piece for family offices,” says Tiffany Kleeman, Deloitte’s Emerging Growth Leader for the Cyber and Strategic Risk Practice.
While ransomware attacks — in which cyber criminals take control of an organization’s data and demand payment for its return — may generate publicity when they are carried out against public companies, they also target family offices.
“Family offices may think, ‘I’m not a target for ransomware — I’m just a small family office,’” Kleeman says. “That is absolutely not true. They are very much a target, increasingly. They still have a lot of assets under management — there is still a lot of money to go after. Ransomware actors and other cybercriminal groups can be highly organized, and they’re searching for financial gain.”
More than half of the victims of ransomware attacks end up paying the ransom, Kleeman says.
“Unfortunately, when many organizations face a ransomware attack, they don’t have many options before them in terms of what they’re going to do to get out of the situation — the attackers have taken their information or locked down their systems and are blackmailing them,” Kleeman says. “They can’t access information or continue operations unless they pay. It is a real risk to family offices that’s important to understand.”
Risks to family offices
Despite these risks, the survey found that nearly one-third (31%) of family offices do not have a plan in place to respond to a cyberattack. And beefing up cybersecurity also requires focusing on prevention.
“Family offices are having to catch up very quickly to the actual threat landscape that is now targeting them from a cyber perspective,” Kleeman says. “That means not just having an incident response plan in place, but do you have a broad cybersecurity program? Do you have someone in your family office that is a dedicated subject matter expert on cyber security? What we’re finding is that many do not.”
Family offices face challenges in implementing cybersecurity programs, starting with the fact that employees and especially family members may want easy, seamless communication — which may end up not being secure.
“There is sometimes a gap between the family’s risk tolerance and what is actually being executed by the family office,” Kleeman says. “You might have a situation where they say, ‘We’re very conservative, we have a very low risk tolerance,’ but when you look at the behavior and the controls that are being applied from a cyber security perspective, it’s counter to that notion.”
Family offices may also be hindered by outdated technology that may not be receiving updates to protect against the latest cyber threats.
“Depending on their size and age, and the investment they have made in technology, they may have a lot of legacy technology infrastructure, including some types of technology that are no longer supported by the vendors,” Kleeman says.
Defending against attacks
Still, family offices have a number of options as they look for ways to bolster their defenses against cyberattacks, Kleeman says:
- Look to experts. Consider hiring a cybersecurity expert to lead prevention and response efforts, as well as a team to execute the strategy. This could be mean internal hires, an outsourced provider, or a combination.
- Consider cyber insurance. Cyber insurance can help mitigate the damages from a cyberattack. And the process of getting it can also help strengthen the family office’s defenses.
“While you can leverage cyber insurance premiums to help address residual risk to get it to a level that you are OK with, there’s a carrot and a stick to this,” Kleeman says. “In order to get insurance, you have to meet specific security requirements.”
- Use a portal for communication. Portals allow family offices to put sensitive data in a protected environment where only authorized people have access to it. This helps reduce the temptation to share confidential information over nonsecure channels such as email.
“I’m seeing a major shift by a number of family offices moving to specific portals where family members can communicate and share data within the portal, but not outside of those secure channels,” Kleeman says.
- Plan for an attack. Kleeman recommends thinking through scenarios: Does the family office have the backups and plans in place to keep operating through a ransomware attack?
“You can’t prevent all attacks, so how do you limit and mitigate the damage to the extent possible?” Kleeman says. “How do you operate through the disruption?”