The importance of cybersecurity for family offices, given their aggregate wealth, hardly needs to be spelled out. This sector is confronting threats that exist. The following speech was delivered at this news service's recent forum on the topic.

The following keynote address was delivered by Scott C Fogarty (pictured below), CEO of Ridgeback Network Defense, at last week’s Family Wealth Report Family Office Cybersecurity Forum 2026, held in New York City. (See a previous account of the event here by our US correspondent.)

Scott C Fogarty

“I sing of arms and the man.”

Virgil did not begin The Aeneid with comfort. He began with arms, struggle, duty and the piercing truth that civilization is not inherited simply because one generation hands something valuable to the next. It must be carried and defended. That is the right frame for family offices in the age of AI-enabled cyber attack.

Cyber doctrine and the family office
The old wall is not enough. The standard now must be preemptive defense: control before compromise, consequence before detonation, and friction imposed on the attacker rather than absorbed by the defender. A family office that waits to learn what happened after the adversary has already gained initiative has accepted a losing model. What has been entrusted to it – capital, privacy, continuity, and obligations across generations – requires a different posture. For the family office in the AI era, that is not rhetoric. It is the operating necessity.

A family office is not merely an administrative structure for wealth. It is the institutional expression of continuity. It holds capital, identity, privacy, trust, reputation, philanthropy, succession, and obligation. That makes it valuable. It also makes it a target.

The cyber risk to family offices is still too often treated as a technical or procurement problem. That is no longer adequate. The adversary is probing terrain, mapping trust, exploiting relationships, and looking for the path from an inadvertent click to a foothold, from a foothold to discovery, from discovery to lateral movement, and from movement to detonation.

Family offices are already in the fight. More than half of North American family offices have reported a cyber attack in the last 12 to 24 months, and nearly one-third have no cyber incident response plan (Deloitte, The Family Office Cybersecurity Report 2025). At the same time, breakout time has collapsed from days to minutes, while most defenders remain organized around observation, alerting, interpretation, and response.

The failure of detection
For decades, cybersecurity has refined the same basic model: block what is known at the perimeter, then detect what gets through by analyzing evidence after the fact. Firewalls and antivirus gave way to intrusion detection, SIEM, EDR, XDR, and AI-enabled analytics, but the central asymmetry remains. If the adversary can still enter, discover, move, and impose cost while the defender waits for enough evidence to decide what happened, detection is fighting on ground the attacker has already chosen.

The decisive moment in a cyber attack is not when ransomware detonates, funds are diverted, or records are exposed. By then, the attack has already succeeded. The decisive moment comes earlier, when the adversary first tries to understand its target’s environment. Once the attacker can map the network, identify assets, see services, and test paths, the attack gains confidence. A defended environment should not answer those questions truthfully.

Yet too many networks still behave like open terrain, making discovery cheap, movement easy, and consequence delayed. For family offices, the attack surface is not a clean corporate perimeter. It is an ecosystem of trust that includes office networks, home networks, vendor connections, unmanaged devices, household systems, travel devices, and personal endpoints.

This is why the industry’s favorite phrases, “real time” and “comprehensive,” deserve pressure. Real time often means the tool alerts quickly, not that the attacker faces consequence quickly. Comprehensive usually means comprehensive only within the boundaries of what the tool can see or what has been properly enrolled. The right question is simple: when unauthorized discovery or lateral movement begins, does the environment act, or does it merely report?

The problem with detection is also mathematical. Every detection system lives with error rates. Tune for sensitivity and false positives drown true positives. Tune for precision and real attacks go unalerted. As the environment grows, so does the burden of interpretation. The defender becomes busy. The attacker remains purposeful.

It gets worse in the AI era. AI changes the economics and tempo of attack by automating reconnaissance, accelerating discovery, and adapting campaigns faster than human-centered defensive workflows can respond. Adding AI to the same detection model may improve triage, but it does not solve the root problem if the architecture still permits the adversary to initiate, discover, move, and force the defender into reaction.

The convoy principle
The right historical analogy is the convoy. In the early Battle of the Atlantic, U-boats sank Allied shipping at will. The answer was not better observation of sinking ships. It was to reshape the target. Convoys grouped, escorted, and defended merchant ships so that attack carried consequence. The attacker who moved toward a target now moved toward a response. First contact was no longer cost-free. 

Cybersecurity has reached its convoy moment.

This is where cyber defense must move from observation to control. Deny the adversary reliable terrain. Deceive hostile discovery. Disrupt unauthorized movement. Impose consequence at first contact. Preemptive cybersecurity does not mean reckless retaliation. It means the environment is designed to act before damage occurs.

Standards of defense
The standard family offices demand should be straightforward: does the control change the attacker’s calculus? If it does not, it may still be useful for compliance, visibility, reporting, insurance, or investigation, but it is not decisive. A decisive control makes reconnaissance risky, movement constrained, and hostile contact consequential.

This is a governance issue, not merely a technical one. Family office leaders do not need to become cybersecurity engineers, but they do need to stop accepting claims that collapse under basic scrutiny. They should ask whether a tool can act automatically or merely alert, what is not covered, whether unmanaged assets are visible, and where enforcement actually happens.

Conclusion
Virgil sang of arms and the man because civilization does not survive by inheritance alone. It survives when duty becomes action. That is now a burden of the family office. Capital, privacy, reputation, succession, and continuity cannot be protected by defensive measures that act after the fact. In the AI era, defense must act before compromise, impose consequence before damage, and make hostile movement costly at first contact. Arms, the man, and the family office: what is entrusted across generations must now be defended by new doctrine.