We continue to provide coverage of the Family Wealth Report forum on the cybersecurity challenges faced by family offices in the US – and beyond.

Here is a summary of one of the panel discussions at the Family Wealth Report Family Office Cybersecurity Forum, held in Manhattan in mid-June. The discussion theme is on the strategies and tools that family offices can adopt to stay on top of the risks.

The following speakers took part: Imani Barnes, associate director, national cyber risk practice, Risk Strategies; Charlotte Edwards, vice president, for operations, Cyberwolf; Kate Norris, founder and CEO, Atténuer Risk (panel moderator), and William Roberts, partner, co-chair of the data privacy, protection, and litigation practice, Day Pitney.

Photo – left to right: Kate Norris, Imani Barnes, Charlotte Edwards, and William Roberts 

This session focused on the evolving cybersecurity landscape and its implications for family offices, with three key areas of discussion and led by a specific panelist:

1, Cyber insurance (Imani Barnes, Risk Strategies)
Panelists explored common misconceptions about cyber insurance, current market capacity, and the coverage limits family offices are purchasing. They emphasized the importance of understanding policy exclusions and aligning coverage with actual risk exposure.

2, Cyber profiles and risk exposure (Charlotte Edwards, Cyberwolf)
The discussion highlighted how an individual’s or family office’s online profile can significantly increase their vulnerability to cyber threats. Panelists explained why visibility matters and how it can make high net worth individuals prime targets for cybercriminals.

3, Regulatory and compliance requirements, (Bill Roberts, Day Pitney).
Bill Roberts of Day Pitney shared real-world examples of how family offices have faced challenges with compliance and regulatory obligations related to cybersecurity. The panel stressed the importance of proactive governance and internal controls to avoid legal and reputational risks.

Cybersecurity for family offices extends well beyond technical controls and vendor vetting – it is now a board-level governance concern with real regulatory, reputational, and legal implications. 

Family offices, while often operating under the radar, are increasingly falling within the scope of both sector-agnostic and industry-specific privacy and cybersecurity frameworks. This trend is driven by the sensitive personal, financial, and biometric data they process and the growing sophistication of threat actors targeting high net worth individuals.

Emerging threats specific to family offices:

-- Personal device and account targeting: Infiltration often happens through personal devices, accounts etc that sync with business accounts but where not security is enabled (or where exceptions to security were made). Threat actors conduct extensive research on family member’s digital footprint to find the path of least resistance.

-- Multi-vector deepfake social engineering: Coordinate campaigns with multiple AI generated personas that are psychologically difficult to detect (they create a context where it’s difficult to speak up or challenge the request).

APT campaigns (advanced persistent threat): Threat actors spend weeks to months studying family operations, getting to know the target (nicknames, interests, tone of voice, people they frequently interact with…). They patiently prepare an attack plan and strike at a vulnerable moment (example discussed: wife buying furniture for the second house or when they travel).

-- Deepfake-enabled social engineering:
Attackers are now leveraging generative AI to impersonate family members or key staff via voice/video – undermining verification protocols and enabling fraudulent instructions.

-- Supply chain intrusions through “trusted” vendors:
We’ve observed a spike in breaches via IT consultants, concierge firms, private aviation services, and luxury security providers – vendors often trusted implicitly but lacking in cyber hygiene.

-- Privacy-centric extortion campaigns:
Threat actors increasingly threaten to release personal photos, private family communications, or sensitive location data – not just financial records – in extortion attempts targeting HNW families.

The session concluded with a set of best practices for family offices, including:

-- Conducting regular cyber risk assessments; 
-- Implementing robust incident response plans; 
-- Educating family members and staff on cyber hygiene;  
-- Ensuring cyber insurance policies are tailored to specific risks; 
-- Staying current with regulatory changes and compliance obligations. Understand what activities may trigger obligations under laws like state privacy laws (e.g., CCPA in California), GDPR (if operating in the EU), and state data breach response laws; 
-- Operationalized incident response plans and test them. Operationalized (e.g., incident response plans remain untested); and 
-- Formalize and update your third-party risk management. 

In addition to technical controls, the legal team should be engaged early in cyber readiness planning. This includes:
-- Conducting tabletop exercises with legal/regulatory scenarios; 
-- Mapping data flows to assess cross-border risks and vendor exposure; 
-- Aligning incident response with privilege protections and breach notification triggers; 
-- Hire specialized partners: Trust experts who are used to working to your context (wealth, family office). Do not opt for a generic provider. Family office context requires a specialized approach; 
-- Harden personal devices & accounts: Hardening means enabling the default security settings that are already there (e.g. on iPhone > run “Apple Security Check”; only use six-digit codes instead of four, enable MFA on accounts. And help families build a security posture by: recommending professional parties to provide the technology and help them ask questions in family context: e.g. what information is off-limits to share online for our family? and 
-- Focus on the human aspect: People are often the weakest link. Be aware of that, help them grow in the world of security and make sure they trust you. Because they will need you when an incident happens.  

Closing thoughts:
As cyber threats continue to evolve in complexity and precision, family offices must adopt a proactive, holistic approach to cybersecurity. This means going beyond traditional IT solutions to include legal, regulatory, and human-centric strategies. 

The insights shared during this session underscore the urgency of building a culture of cyber awareness, investing in tailored protections, and engaging trusted experts who understand the unique dynamics of high net worth families. By embedding cybersecurity into governance and daily operations, family offices can better safeguard their assets, privacy, and reputation in an increasingly hostile digital landscape.