Should My Family Office Be Concerned About Cybersecurity?

Posted: Updated:

Data breaches are constantly in the news and most companies know they should be concerned about privacy and the security of their data, or at least recognize this is an important and complex area.

However, most family offices are not sure how to start addressing their concerns, or worse, don’t view the family office as a target. The majority (58%) of malware attack victims were categorized as small businesses in 2018.[i] Small businesses, and family offices in particular, are attractive targets for a number of reasons. Family offices may have a more informal governance structure than other companies, and family offices often put a heavy reliance on smaller staffs who have disproportionate access to large amounts of data. The fame and prominence of those associated with family offices can make the family office a target as well.

A family office manages a large amount of wealth, with careful attention and focus on protecting the wealth and creating a lasting and impactful legacy. Efforts to ensure security of data are not often a top priority for a family office, but that trend is changing. A recent report by Campden Wealth indicated that nearly a quarter (24%) of family offices surveyed reported protecting against cyberattacks as a governance priority for their family office.[ii] In 2017, Campden Wealth reported, within its Private & Confidential – The Cyber Security Report, that 32% of family offices have experienced one or more cyberattacks, with a significant portion resulting in some form of loss, such as a loss in revenue (26%) or loss of private and confidential information (19%).[iii] Despite the threat, and actual occurrences, of a cyberattack, roughly half (52%) of family offices surveyed had a cyber security plan in place, leaving a large population of the family office community vulnerable to security incidents.[iv]

Complex and dedicated efforts to ensure cybersecurity are often not given the sufficient attention required within a family office, unless a serious breach has occurred in the past with the family. The potential impacts to a family office after experiencing a security incident are somewhat unique. A security incident can cause the common impacts such as financial loss and reputational damage, but when a family office is the target the far reaching legacy of family can also be damaged. A security incident can expose more than just financial data; think about the recent scandal involving Jeff Bezos where personal text messages were obtained and released.
What Can Our Family Office To Do Plan and Prepare?
Being prepared for a security incident can make a difference in the severity and overall impact of a security incident when it occurs. Cyber-liability insurance policies can help to offset the potential losses associated with a security incident. An effective cybersecurity plan and training may even help to avoid easily preventable attacks. An effective incident response plan creates a clear plan of how to react and what steps to take when a security incident does occur. Testing the incident response plan once it is created through tabletop exercises helps to identify any gaps in the plan and allows for members to get comfortable with the process in the event of a security incident.

1.     Prepare a Cybersecurity Plan.

The process of preparing a cybersecurity plan allows for the family office to obtain a better picture of the technology being used by the family office, what types of information the family office is collecting and processing, how to best protect that data, and more. A review of the types of data a family office collects and how that data is stored and processed is a good starting point. Involving oversight from the board, executives or the family to create the cybersecurity plan allows for all parties with a stake in the protection of the data to be involved. Involving parties outside of just the information technology (IT) specialist allows for greater understanding of the reasons behind the polices and plan.

2.     Obtain a Cyber-liability Insurance Policy.

A cyber-liability insurance policy has the potential to cover a multitude of losses such as liability for lost data, remediation costs for investigations, notifications and repairs to systems after a security incident and settlement costs associated with a security incident. Typically, a cyber-liability insurance policy will give a family office access to experts who can assist with a security incident.

3.     Provide Cybersecurity Training and Education to Staff and Family Members.

Providing staff and family members with cybersecurity training is key; the first line of defense against a security incident is often people. By providing training and education about potential threats, best practices and appropriate processes, a family office can help to avoid incidents or attacks that are easily preventable.

4.     Prepare an Incident Response Plan.

A security incident occurs, your emails have been hacked, financial information has been compromised, now what? Creating an Incident Response Plan will lay out the steps the family office should take following an incident. The process of creating a plan helps to eliminate the stress and confusion that often surrounds a security incident by establishing the actions and processes before an incident occurs. A well-crafted Incident Response Plan can have a significant impact on the amount of damage caused by an incident.

5.     Perform Table Top Exercises.

A tabletop exercise is an activity in which key personnel who are assigned management roles and responsibilities in the event of a security incident are gathered to discuss, in a non-threatening environment, various simulated security incident situations. The exercises are provided by third parties and allow key family office staff, board members and family members a chance to run through the family office data security programs, policies, procedures and other related processes. Tabletop exercises give employees the opportunity to become familiar with the plans in the event of a security incident and hopefully help to ensure the data security programs, policies, procedures and other related processes are actually followed when an incident occurs.

For more information, contact Nick Merker, Stephen Reynolds, Rachel Spiker or another member of our Data Security and Privacy Team ( For more information regarding the full range of family office services offered by Ice Miller, contact Andrew VentoBill Ellsworth, Miranda Morgan or another member of our Trusts, Estates and Private Wealth Team ( 

This is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

  • Perspectives

    • Mitigating Your Company’s Cybersecurity Risk

      Frequently, I encounter people who think that a software developer understands all languages and can “fix” anything tech related. While that may be true for a few, areas of expertise within tech evolve as rapidly as the technology itself. For instance, there was a time (not long ago) when operating in the cloud was revolutionary. Today, it is considered best practices for some or all of an organization to function within a cloud. Managed information technology began with...



Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • (photo courtesy Dax Norton)

      Whitestown Tops Indiana's Fastest-Growing Communities

      The Indiana Business Research Center at the Indiana University Kelley School of Business says Whitestown in Boone County is Indiana's fastest-growing community for the eighth consecutive year. The center says the town's population nearly tripled, from 3,132 in 2010 to 8,627 last year. Westfield in Hamilton County is not far behind. Its population grew 5.2 percent in 2018, according to information reported by the U.S. Census Bureau. Other communities on the list include...

    • The Waterside project aims to transform 100-acres of the former GM Stamping Plant site. (photo courtesy of Ambrose Property Group)

      Ambrose, Glick Partner on Waterside

      Indianapolis-based Ambrose Property Group has announced a key partnership for the redevelopment of the former GM Stamping Plant in downtown Indianapolis. The commercial real estate firm is teaming up with the Gene B. Glick Co. to build and manage apartments as part of the $1.4 billion mixed-use redevelopment project. Ambrose says the partnership is also part of plans to catalyze "philanthropic and community-centric strategies to strengthen Indianapolis." The firm also...

    • Despite Profit Increase, Shoe Carnival Predicts Store Closings

      Evansville-based Shoe Carnival Inc. (Nasdaq: SCVL) is reporting fiscal first quarter net income of $13 million, up from $8.2 million during the same period last year. Despite the increase, the company says it expects to close up to 25 stores throughout the fiscal year while adding three new locations.

    • Carmel Ranked Among Best Places to Live

      Carmel has been chosen as the 3rd best place to live in the U.S. according to MONEY.  The publication only looked at cities with a population of 50,000 or greater, and eliminated any place that had more than double the national crime rate, less than 85-percent of the state's median household income, or lack of ethnic diversity.  MONEY was able to pare the list down to 50 communities after delving into data concerning economic health, public education, cost of...

    • NIBCO is headquartered in Elkhart. (photo courtesy of NIBCO)

      Companies Detail Closures, Layoffs

      Four companies have announced plans to lay off a total of nearly 300 employees. In separate notices filed with the state, the companies say the moves will affect workers in Indianapolis, Fort Wayne, Charlestown and Peru.