pixelated lock around a chain

Is Your Family Office Secure from the Cyberworld?

March 24, 2021

Cybersecurity is “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this." (1)

In today’s hyperconnected world, digital security has never been more critical. Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching USD 10.5 trillion annually by 2025, up from USD 3 trillion in 2015, representing the greatest economic wealth transfer in history. (2)

New digital technologies are emerging in family offices every day; digitization to improve content management, automation to create efficiencies, and increased collaboration between advisors to create synergies. Global research performed in 2019 estimated there were 7,300 single-family offices worldwide with wealth totaling an incredible US$ 9.4 trillion. (3)

While any technology user is at risk for cybersecurity attacks, family offices are particularly attractive to cybercriminals. Individuals within family offices have access and control over a substantial amount of highly confidential information. They deal with high-value, large transactions daily. Furthermore, family offices often have less stringent security controls than larger organizations. They rely on fewer staff members, so the perceived ‘need’ for advanced security technologies is lower.

Most Common Threats

The most obvious threat in the digital world is external hackers. Technology hackers exploit all vulnerabilities. Threats can include phishing attempts to obtain sensitive information and data and the use of malicious software that encrypts data and enables the attacker to make demands before unlocking it.

Another threat that should not be underestimated is third parties such as IT consultants or HVAC contractors that visit your site. These individuals are often considered lower risk given their employment with reputable companies. However, their physical access to your space can be detrimental to your family office’s security if not handled with caution. Cybersecurity and privacy should always be a contractual starting point for these relationships, and best practice is to have internal staff present during all contractor site visits.

It is also prudent to consider threats from within the family office. Cyber threats in these instances may not be intentional. It could be employees or family members who become victims of a common cyber-attack such as phishing.

Foundational Aspects of Cybersecurity

As you turn your mind towards the practices in your own family office, consider how you have employed these foundational aspects of an effective cybersecurity program:

  1. Training and awareness – The best defense for internal threats is ongoing training to educate family members and staff of the risks and implications of cyber-attacks. An effective training program should clearly outline what to watch for and include guidance on incident reporting to minimize an attack’s impact.
  2. Endpoint security – Endpoints are the access points to an enterprise network that malicious actors can exploit. The risks associated with these access points are growing as data becomes more fluid (e.g., remote environments and working on the go while connected to Wi-Fi networks). Endpoint security software typically enables encryption (to prevent data leaks and loss) and application control (to prevent unauthorized applications).
  3. Access and Authentication – Passwords are the oldest single-factor authentication system. They have been used since 1961, when the first computer system implemented password login. In the decades that have followed, password use has continued to evolve; using digital generators to create stronger passwords, having a unique password for every account you create; using secure password managers to avoid the tendency to reuse passwords. The concept of multi-factor authentication (MFA) dates back to the mid-1990s when AT&T was awarded its patent for a transaction authorization and alert system. Since then, this concept has taken the digital world by storm. MFA is an electronic authentication method whereby a user must present two or more pieces of identification evidence before being granted access to a website or application. With the mass adoption of smartphones and other software-based verification methods, MFA has become a widespread and effective authentication process.
  4. Firewalls and Encryption – A firewall is a network security system that establishes a barrier between a trusted source (your network) and an untrusted source (the internet). Some basic features of firewalls include intrusion detection, malware detection, and website filtering. Encryption can further enhance firewall security by adding a layer of protection to your data. Encryption is the process of taking plain text and scrambling it into an unreadable format to help protect its confidentiality.
  5. Recovery of Data – In a world where we have become reliant on digital information and platforms, data recovery has become a cornerstone to any digital environment. You do not want to be wholly dependent on one data set. At a minimum, a complete network backup should be maintained offsite to prevent instances of data loss due to theft or natural disasters. Cloud computing makes this easier. Cybersecurity and trust surrounding these virtual platforms are continually evolving, and in many instances, your data may be more secure in the cloud than on in-house network servers.
  6. Server Location – The location of the data center that hosts your website and network is a common concern for many family offices. Location may not be a security issue but rather a data privacy concern because your data’s location will determine the applicable privacy legislation. Data centers located in Canada fall under the Canada Privacy Act. This Canadian law is appealing to many, as it does not allow government institutions to collect personal information unless it relates directly to an institution’s operating program or activity. By comparison, the US Patriot Act makes data accessible to any government party in the US. The takeaway is that if you are storing your data outside of Canada, be aware that you will fall under the privacy rules for the jurisdiction where the data is located.

The Lesson

Effective cybersecurity is about being prepared. Work with knowledgeable advisors to identify the gaps, employ a solid infrastructure to protect from threats, and have an established plan in place to effectively detect and manage cyber-attacks. You may even consider taking it one step further by acquiring cyber liability insurance to protect against the costs associated with recovery from a cyber-related security breach.  This is cyber resiliency at its core.

While the thought of getting it right can seem daunting, bear in mind that you do not need to do it alone. Your responsibility is to recognize the importance of this ever-increasing area of risk. From there, leverage the experts to ease the burden of infrastructure review and cyberthreat intelligence implementation.


  1. Oxford English Dictionary
  2. Cyberwarfare In The C-Suite. Sponsored by INTRUSION, Inc., Sausalito, Calif. – Nov.13, 2020 /PRNewswire/,https://cybersecurityventures.com/
  3. UBS / Campden Research Report -http://www.campdenresearch.com/