Should My Family Office Be Concerned About Cybersecurity?

Posted: Updated:

Data breaches are constantly in the news and most companies know they should be concerned about privacy and the security of their data, or at least recognize this is an important and complex area.

However, most family offices are not sure how to start addressing their concerns, or worse, don’t view the family office as a target. The majority (58%) of malware attack victims were categorized as small businesses in 2018.[i] Small businesses, and family offices in particular, are attractive targets for a number of reasons. Family offices may have a more informal governance structure than other companies, and family offices often put a heavy reliance on smaller staffs who have disproportionate access to large amounts of data. The fame and prominence of those associated with family offices can make the family office a target as well.

A family office manages a large amount of wealth, with careful attention and focus on protecting the wealth and creating a lasting and impactful legacy. Efforts to ensure security of data are not often a top priority for a family office, but that trend is changing. A recent report by Campden Wealth indicated that nearly a quarter (24%) of family offices surveyed reported protecting against cyberattacks as a governance priority for their family office.[ii] In 2017, Campden Wealth reported, within its Private & Confidential – The Cyber Security Report, that 32% of family offices have experienced one or more cyberattacks, with a significant portion resulting in some form of loss, such as a loss in revenue (26%) or loss of private and confidential information (19%).[iii] Despite the threat, and actual occurrences, of a cyberattack, roughly half (52%) of family offices surveyed had a cyber security plan in place, leaving a large population of the family office community vulnerable to security incidents.[iv]

Complex and dedicated efforts to ensure cybersecurity are often not given the sufficient attention required within a family office, unless a serious breach has occurred in the past with the family. The potential impacts to a family office after experiencing a security incident are somewhat unique. A security incident can cause the common impacts such as financial loss and reputational damage, but when a family office is the target the far reaching legacy of family can also be damaged. A security incident can expose more than just financial data; think about the recent scandal involving Jeff Bezos where personal text messages were obtained and released.
What Can Our Family Office To Do Plan and Prepare?
Being prepared for a security incident can make a difference in the severity and overall impact of a security incident when it occurs. Cyber-liability insurance policies can help to offset the potential losses associated with a security incident. An effective cybersecurity plan and training may even help to avoid easily preventable attacks. An effective incident response plan creates a clear plan of how to react and what steps to take when a security incident does occur. Testing the incident response plan once it is created through tabletop exercises helps to identify any gaps in the plan and allows for members to get comfortable with the process in the event of a security incident.

1.     Prepare a Cybersecurity Plan.

The process of preparing a cybersecurity plan allows for the family office to obtain a better picture of the technology being used by the family office, what types of information the family office is collecting and processing, how to best protect that data, and more. A review of the types of data a family office collects and how that data is stored and processed is a good starting point. Involving oversight from the board, executives or the family to create the cybersecurity plan allows for all parties with a stake in the protection of the data to be involved. Involving parties outside of just the information technology (IT) specialist allows for greater understanding of the reasons behind the polices and plan.

2.     Obtain a Cyber-liability Insurance Policy.

A cyber-liability insurance policy has the potential to cover a multitude of losses such as liability for lost data, remediation costs for investigations, notifications and repairs to systems after a security incident and settlement costs associated with a security incident. Typically, a cyber-liability insurance policy will give a family office access to experts who can assist with a security incident.

3.     Provide Cybersecurity Training and Education to Staff and Family Members.

Providing staff and family members with cybersecurity training is key; the first line of defense against a security incident is often people. By providing training and education about potential threats, best practices and appropriate processes, a family office can help to avoid incidents or attacks that are easily preventable.

4.     Prepare an Incident Response Plan.

A security incident occurs, your emails have been hacked, financial information has been compromised, now what? Creating an Incident Response Plan will lay out the steps the family office should take following an incident. The process of creating a plan helps to eliminate the stress and confusion that often surrounds a security incident by establishing the actions and processes before an incident occurs. A well-crafted Incident Response Plan can have a significant impact on the amount of damage caused by an incident.

5.     Perform Table Top Exercises.

A tabletop exercise is an activity in which key personnel who are assigned management roles and responsibilities in the event of a security incident are gathered to discuss, in a non-threatening environment, various simulated security incident situations. The exercises are provided by third parties and allow key family office staff, board members and family members a chance to run through the family office data security programs, policies, procedures and other related processes. Tabletop exercises give employees the opportunity to become familiar with the plans in the event of a security incident and hopefully help to ensure the data security programs, policies, procedures and other related processes are actually followed when an incident occurs.

For more information, contact Nick Merker, Stephen Reynolds, Rachel Spiker or another member of our Data Security and Privacy Team ( For more information regarding the full range of family office services offered by Ice Miller, contact Andrew VentoBill Ellsworth, Miranda Morgan or another member of our Trusts, Estates and Private Wealth Team ( 

This is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

  • Perspectives

    • 3 Tips to Attract and Retain Employees in the Gig Economy

      The gig economy has been around ever since workers began looking for supplemental income, but, it has recently evolved with the introduction of technology. Companies emerging like Uber, Lyft and GrubHub, are changing the gig economy landscape of the workforce. The gig economy has attracted millennials and Gen Zers because of the flexibility and autonomy to work from anywhere, at any time.



Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • (Industrial hemp photo courtesy of Purdue University)

      Hemp Processor Announces Expansion

      Indianapolis-based BDX Indiana has announced plans to bring more than 100 new jobs to central Indiana, with about a third of those going to a planned hemp extraction facility in Westfield. BDX extracts CBD oil from Indiana-grown hemp and is a sister company of Biodynamic Ventures, the largest hemp grower in Indiana. The city says the phase one build-out of the overall $50 million project is expected to begin this month with production to start in December. 

    • Butler Blue III is retiring next spring as the school's mascot. (photo courtesy Butler University)

      Butler Mascot Set to Retire

      One of the best-known ambassadors for Butler University is stepping down, all four legs of him, at the end of the current academic year. The university says their furry mascot, Butler Blue III, is ready to retire after nearly eight years of greeting visitors, students and staff. 

    • (photo courtesy of Indianapolis International Airport)

      Indy Airport Showcases New Retail Offerings

      Indianapolis International Airport is celebrating the opening of the first wave of new retail offerings. The new stores are part of the airport's multi-year Concessions Refresh initiative, which aims to bring a greater mix of nationally-known brands, such as FAO Schwarz and Vineyard Vines, with more local offerings, including Natalie's Candy Jar and Fountain Square Market. In all, nine new retail stores opened Tuesday morning. In an interview with Inside INdiana Business...

    • (image courtesy of Pixabay/VIN JD)

      Cyber Security Battalion to be Located in Indiana

      Indiana’s growing defense industry is further expanding into the digital battlefield. Governor Eric Holcomb has announced a National Guard cyber battalion will be located in the Hoosier state. The 127th Cyber Protection Battalion will be made up of nearly 100 soldiers focused on cybersecurity and cyber warfare. 

    • CEO of Knox County Development Corp. Steps Down

      The president and chief executive officer of the Knox County Development Corp. has resigned. Kent Utt had held the position for five years. Officials say Utt will continue to work with the corporation’s leadership to ensure a smooth transition going forward.