A notable 43% of family offices globally have experienced a cyberattack over the last 12-24 months, with 25% experiencing three or more attacks. Those in North America are the most likely to report being attacked (at 57% versus 41% in Europe and 24% in Asia Pacific), along with those with AUM over US$1 billion (at 62% versus 38% for those with AUM under US$1 billion).

While threats come in many forms and are often linked, the most common form of attack is phishing (experienced by a notable 93% of victims), followed by malware (35%), and social engineering (23%).

Among the family offices which have experienced a cyberattack, a significant one-third globally have suffered some form of loss or damage as a result. The most common consequences are operational damage (including the loss of confidential/sensitive data) and financial loss, as experienced by 20% and 18% of victims, respectively.

Despite the high prevalence of attacks, nearly one-third (31%) of family offices do not have a cyber incident response plan in place. Another 43% say they have a plan, but it “could be better,” while merely a quarter (26%) claim to have a “robust” plan.

At present, most family offices offer some basic security measures, such as strong passwords/multifactor authentication (MFA) (85%) and data backups (72%). Fewer offices offer other basic measures, such as cybersecurity staff training (58%) and maturity assessments (34%). Moreover, many offices have not progressed on to more advanced protections that would make them better prepared: 50% do not have a disaster recovery plan, 63% do not have cybersecurity insurance, 68% have not adopted ‘know your vendor’ protocols, etc.

Given these security weaknesses, over one in five family offices (22%) have ranked cybersecurity as a top risk to their organization this year. Thus, 15% assert that strengthening cybersecurity is a core priority in 2024, a notable proportion, but one that needs even further visibility given the risks at stake.