Whether caused by family member thoughtlessness, employee error or the acts of a skilled data thief, everyone is likely to be the victim of an information breach at some point.

A cyberattack on a family office or family business can be especially damaging because it can lead to the public release of the family’s private information, theft of the family’s assets, ransom requests to unlock encrypted information, or even blackmail or personal security threats against family members.

Unfortunately, family offices and family businesses are especially tempting targets for hackers. A recent Sophos article states that 75% of cases handled by their X-Ops Incident Response service in 2023 were for small businesses.¹ A recent J.P. Morgan Private Bank report states that 24% of the family offices they surveyed have already been exposed to a cybersecurity breach or financial fraud incident. The report also noted that 40% of family offices list cybersecurity as an area where they need help.²

Reducing Family Office and Business Vulnerability to Cyberattacks

When you reach out for cybersecurity help, your attorney and other providers will proactively help you resolve basic issues that make your organization more vulnerable. These fixes could include:

• Finding or building a dedicated IT team to improve online security. Better security measures make it harder to access data and quicker and easier to detect an incident.
• Removing old, unused software from computers and devices and upgrading or patching current software for known vulnerabilities.
• Utilizing encryption technology for storage and transfer of sensitive information.
• Restricting sensitive data access to a small number of staff members while retaining the ability to provide great client service.
• Training staff and family members to be safe users of the internet, email and social media.
• Securing staff and family devices, including home Wi-Fi connections.
• Backing up data regularly and performing system scans and tests.
• Ensuring that contracts with third-party service providers who may have access to sensitive information or systems include the appropriate protections and legal obligations should there be unauthorized access to your data.

Preparing Family Offices and Businesses for a System Breach

Of course, fixing the vulnerabilities listed above can help make your organization a less attractive target. But with improved information, phishing techniques and AI technology, it is no longer a matter of “if” you will be impacted by a breach – it is a question of “when.”

Armed with that understanding, family offices and businesses need to move this issue to the top of their priority lists and start preparing. An incident response plan can identify gaps in your data security, and it will prepare you to respond to a security incident and meet the related legal obligations.

Typical steps in creating a response plan include:

1. Determine who should be on your team.

Consider team members who are familiar with your systems and business practices and who could carry out the plan once it is activated. Your team will need professionals that can:

• Determine the nature of the event, contain it and restore affected systems, while ensuring the preservation of records and evidence.
• Identify information or systems that have been accessed and notify law enforcement, if needed.
• Communicate with staff and family members and provide legally necessary notifications.
• Respond to inquiries from the press and public if the incident is widely reported.
• File injunctions to prevent publication of stolen information or respond to threats of litigation.
• Notify and work with your insurance company.

2. Review your current situation.

• Information: What information do you collect on family members and business activities, where is it stored and what are your obligations regarding its privacy and security?
• Service Providers: What sensitive information can each access? Review the responsibilities they agreed to and your remedies in a breach situation.
• IT Security: What are the key systems at risk? What people and tools are available to respond to a cyber incident? What gaps (including training) need to be addressed?
• Insurance: Does your cybersecurity insurance cover the areas where you will spend money in the event of a breach? Will it work with the providers on your proposed response team? Or will you have to use providers they choose?

3. Create the plan and supporting protocols.

Once in place, your response team can help you:

• Remedy identified issues and risks.
• Create your incident response plan.
• Define the circumstances that will trigger your plan.
• Test your plan.

¹2024 Sophos Threat Report: Cybercrime on Main Street. March 12, 2024. By Sean Gallagher, Anna Szalay, Andrew Brandt and Chester Wisniewski.

²2024 Global Family Office Report. J.P. Morgan Private Bank.