Should My Family Office Be Concerned About Cybersecurity?

Posted: Updated:

Data breaches are constantly in the news and most companies know they should be concerned about privacy and the security of their data, or at least recognize this is an important and complex area.

However, most family offices are not sure how to start addressing their concerns, or worse, don’t view the family office as a target. The majority (58%) of malware attack victims were categorized as small businesses in 2018.[i] Small businesses, and family offices in particular, are attractive targets for a number of reasons. Family offices may have a more informal governance structure than other companies, and family offices often put a heavy reliance on smaller staffs who have disproportionate access to large amounts of data. The fame and prominence of those associated with family offices can make the family office a target as well.

A family office manages a large amount of wealth, with careful attention and focus on protecting the wealth and creating a lasting and impactful legacy. Efforts to ensure security of data are not often a top priority for a family office, but that trend is changing. A recent report by Campden Wealth indicated that nearly a quarter (24%) of family offices surveyed reported protecting against cyberattacks as a governance priority for their family office.[ii] In 2017, Campden Wealth reported, within its Private & Confidential – The Cyber Security Report, that 32% of family offices have experienced one or more cyberattacks, with a significant portion resulting in some form of loss, such as a loss in revenue (26%) or loss of private and confidential information (19%).[iii] Despite the threat, and actual occurrences, of a cyberattack, roughly half (52%) of family offices surveyed had a cyber security plan in place, leaving a large population of the family office community vulnerable to security incidents.[iv]

Complex and dedicated efforts to ensure cybersecurity are often not given the sufficient attention required within a family office, unless a serious breach has occurred in the past with the family. The potential impacts to a family office after experiencing a security incident are somewhat unique. A security incident can cause the common impacts such as financial loss and reputational damage, but when a family office is the target the far reaching legacy of family can also be damaged. A security incident can expose more than just financial data; think about the recent scandal involving Jeff Bezos where personal text messages were obtained and released.
What Can Our Family Office To Do Plan and Prepare?
Being prepared for a security incident can make a difference in the severity and overall impact of a security incident when it occurs. Cyber-liability insurance policies can help to offset the potential losses associated with a security incident. An effective cybersecurity plan and training may even help to avoid easily preventable attacks. An effective incident response plan creates a clear plan of how to react and what steps to take when a security incident does occur. Testing the incident response plan once it is created through tabletop exercises helps to identify any gaps in the plan and allows for members to get comfortable with the process in the event of a security incident.

1.     Prepare a Cybersecurity Plan.

The process of preparing a cybersecurity plan allows for the family office to obtain a better picture of the technology being used by the family office, what types of information the family office is collecting and processing, how to best protect that data, and more. A review of the types of data a family office collects and how that data is stored and processed is a good starting point. Involving oversight from the board, executives or the family to create the cybersecurity plan allows for all parties with a stake in the protection of the data to be involved. Involving parties outside of just the information technology (IT) specialist allows for greater understanding of the reasons behind the polices and plan.

2.     Obtain a Cyber-liability Insurance Policy.

A cyber-liability insurance policy has the potential to cover a multitude of losses such as liability for lost data, remediation costs for investigations, notifications and repairs to systems after a security incident and settlement costs associated with a security incident. Typically, a cyber-liability insurance policy will give a family office access to experts who can assist with a security incident.

3.     Provide Cybersecurity Training and Education to Staff and Family Members.

Providing staff and family members with cybersecurity training is key; the first line of defense against a security incident is often people. By providing training and education about potential threats, best practices and appropriate processes, a family office can help to avoid incidents or attacks that are easily preventable.

4.     Prepare an Incident Response Plan.

A security incident occurs, your emails have been hacked, financial information has been compromised, now what? Creating an Incident Response Plan will lay out the steps the family office should take following an incident. The process of creating a plan helps to eliminate the stress and confusion that often surrounds a security incident by establishing the actions and processes before an incident occurs. A well-crafted Incident Response Plan can have a significant impact on the amount of damage caused by an incident.

5.     Perform Table Top Exercises.

A tabletop exercise is an activity in which key personnel who are assigned management roles and responsibilities in the event of a security incident are gathered to discuss, in a non-threatening environment, various simulated security incident situations. The exercises are provided by third parties and allow key family office staff, board members and family members a chance to run through the family office data security programs, policies, procedures and other related processes. Tabletop exercises give employees the opportunity to become familiar with the plans in the event of a security incident and hopefully help to ensure the data security programs, policies, procedures and other related processes are actually followed when an incident occurs.

For more information, contact Nick Merker, Stephen Reynolds, Rachel Spiker or another member of our Data Security and Privacy Team ( For more information regarding the full range of family office services offered by Ice Miller, contact Andrew VentoBill Ellsworth, Miranda Morgan or another member of our Trusts, Estates and Private Wealth Team ( 

This is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

  • Perspectives

    • Take Time to Face Reality

      When is the last time that you as a business owner truly stopped for 30 minutes or an hour and truly took some quiet time to reflect on your business? Like most owners, it’s probably been quite some time. We all get busy doing things, working hard, taking care of customers, running the business. But if we don’t take some time each day, week, month or quarter to slow down, we are setting ourselves up for failure. Business leaders and owners need the time to slow down to...



Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • (Image courtesy of INDOT)

      Noblesville Details Infrastructure Improvement Projects

      The city of Noblesville announced plans for a major infrastructure partnership with the Indiana Department of Transportation that includes five new roundabout intersections. The $16 million total cost of the project will be split with INDOT covering $9.5 million.

    • (Photo Courtesy: Roche Diagnostics)

      Roche VP on List of Influential Women Executives

      An executive with Roche Diagnostics has joined an exclusive list of prominent and influential women, including Oprah Winfrey and Serena Williams.  Cindy Carlisle, Vice President of Human Resources at Roche Indy, was named to Savoy Magazine’s 2019 Most Influential Women in Corporate America. 

    • (photo courtesy of Drink Culture)

      Hosts Turn Podcast Into Business

      It's easy to find podcasts on nearly any topic these days, however the creators behind one Indianapolis-based podcast have found a way to turn their hobby into a viable business. The Drink Culture Podcast, which spotlights entrepreneurs, though leaders and creators in Indy, is celebrating a special declaration by the city.

    • Elanco is headquartered in Greenfield.

      Elanco Finishes Deal on Pet Therapeutics Purchase

      Greenfield-based Elanco Animal Health Inc.(NYSE: ELAN) completed its purchase Thursday of Aratana Therapeutics (Nasdaq: PETX), a pet therapeutics company located near Kansas City. As Inside INdiana Business first reported Tuesday Aratana shareholders voted overwhelmingly in favor of the $245 million deal. 

    • (Image provided by the Capital Improvement Board.)

      Indy Alters Plans for Downtown Hotels

      The city of Indianapolis has announced plans to change the framework for a major project in downtown Indy that has sparked controversy. The $120 million project, announced in October 2018, calls for an expansion of the Indiana Convention Center and two new hotels at Pan Am Plaza, which would add about 1,400 rooms. The project has drawn criticism from a group of hoteliers, who have expressed concern of a potential oversaturation in downtown Indy. Indianapolis Mayor Joe Hogsett issued...