Lack of spending on it and cybersecurity measures have led many family offices exposed to the threat of fraud and fraud, often rapidly developing AI technology.
The family offices that manage the substantial wealth of ultra-net-worth investors are targeted by cybercriminals.
“People actually estimate that the entire cyber fraud industry around the world is more profitable than the global drug trade,” says Hannes Hoffman, global head of Citiwells Family Office Group. “It shows that it’s a very organized, very well constructed criminal act.”
A 2024 survey from consulting firm Deloitte revealed that over the past two years, 43% of family offices around the world have experienced cyberattacks. Despite these statistics, only 11% of family offices report being “very well protected” against cybersecurity risks, while 12% admit that they are “unprotected.”
When talking to family offices about their perceived risks, Hofmann says cybersecurity consistently manifests itself as the area they feel most exposed.
The refinement of modern cybercrime tactics is becoming more common, and Hoffman points out that criminals can deploy artificial intelligence to mimic voices and faces, making fraud more persuasive. “Today, if you’re a criminal network, you can buy software that allows me to talk to you, but I can look like your mother and I can sound like your mother,” he explains.
In response to the growing threat, Citi developed a cybersecurity framework for family offices included in the white paper to analyze challenges and solutions. This includes governance, identification, protection, detection, repair and resolution of vulnerabilities.
“After publishing the white paper, we’ve got a call from the largest family office,” Hoffman said. “They said, ‘What do you know? We’ve never seen this kind of checklist from our own technology groups before.” The fact that we gave them practical tools – do you have this system, did you think about it?
A satisfying culture
Despite the availability of resources, many family offices are happy. “We take that very seriously. I think in the coming months you’ll get more attention from your family’s office,” says Hoffman.
Family offices are often less technically developed, believes Joe Boyle, CEO of Salt, a secure communications app used in several industries. “Their IT and cybersecurity spending are generally much less than larger, more sophisticated financial institutions. The contrast is harsh. These organizations oversee billions of dollars of assets for ultra-high-asset individuals, but they may lack even the most basic security infrastructure found in corporate finance.
When it comes to family offices, the challenges go far beyond technology. “They usually have very well-known personnel at the top… a valuable target,” he says. “From our experience, we recognize the close protection and various factors that can be seen at a much higher level than other organizations.”
Personal protection
It’s not just physical security. Family offices, by their nature, are deeply personal institutions. Boyle said their intimacy makes them uniquely fragile.
“Whether it’s family, family, remote family, dissatisfied people, there’s a complex family dynamic and there’s a risk of fallout among personnel,” he says. “There may not be a very clear boundary between many different functions within an organization. This means that people who work within family offices tend to know more about the whole “heating-based” than they would if they had worked in large financial institutions. ”
Blurrying professional and personal boundaries creates great vulnerability. There is also a need for a different approach to managing privacy and trust. “Unknown everything can actually be your biggest concern,” Boyle says. “Unknown everything means you’re not a target yourself.”
Boyle emphasizes the importance of fostering a culture of “egoless consciousness.” If there is an effective and open conversation, it can remove friction and emphasize the need to protect valuable assets. “But education alone is not enough,” he suggests. “The tools and habits adopted by families can be the difference between discretion and disaster.
He recalls the warning story. Young members of the client’s family regularly posted running statistics and photos on the running app Strava. “They were basically telling everyone where they were, and that became a big problem,” he says. “From the perspective of kre (drawn, ransom, tor), it is an absolute red flag.”
The most troublesome thing is how asymmetric the battlefield has become. “It’s risky to actually go physically and try to lure someone out and invite someone out,” Boyle explains. However, cyberattacks allow perpetrators to sit thousands of miles on another continent based on “jurisdiction to turn blind.”
Despite the existential threat, Boyle usually sees most family offices reactively invest in security after a violation. “It’s more likely that you’ll pay to erase it after it happens, rather than investing so that it doesn’t happen,” he says.
