Operational costs for family offices have risen, but the focus - so it seems - on cybersecurity has declined, which could have very bad outcomes, the author of this article says.

The following article is from Warren Finkel, managing director, Omega Systems. The editors are pleased to share this content. The usual editorial disclaimers apply. Email tom.burroughes@wealthbriefing.com and amanda.cheesley@clearviewpublishing.com 
 

Family offices face an uncomfortable truth in 2025: while operational costs continue to climb, cybersecurity focus is slipping – and the consequences could be catastrophic.

Omega Systems’ 2025 Financial Services IT & Cyber Resilience Survey, which polled more than 300 financial leaders across the US, found that while technology spending is increasing broadly, family offices are prioritizing operational efficiency and cost control over cyber defense. More than half (53 per cent) named rising costs as their top business concern for 2025, compared with just 39 per cent who cited cyber threats.

That gap in focus is creating new vulnerabilities - and in an environment where family offices manage some of the most targeted and valuable assets in the world, misplaced attention can carry a steep price.

Cyber risk has become a business risk
Cyber incidents are no longer theoretical or isolated events. Nearly 93 per cent of financial firms in Omega’s study experienced at least one cyber-attack in the past year, and one in four family offices faced more than 25 incidents including those from phishing scams, ransomware attacks and unauthorized access attempts.

These attacks are happening in plain sight – and family offices clearly understand the stakes. Seventy-eight per cent of respondents said a successful breach would trigger client withdrawals, investor panic, or direct loss of assets under management.

Yet despite that awareness, many family offices still view cybersecurity as one of several competing operational priorities rather than a foundational business requirement. That mindset leaves firms reacting to threats rather than anticipating them.

The confidence gap in cyber readiness
One of the most striking findings from the survey was the low confidence family offices have in their employees’ ability to detect and prevent modern cyberattacks.

Just 60 per cent expressed confidence that staff could identify AI-driven phishing or social-engineering threats – compared with an industry average of 69% and other financial verticals like RIAs pushing nearly 80 per cent. Even more concerning, only 17 per cent plan to make employee awareness training a priority in 2026.

This combination – low confidence and low investment – leaves a widening gap between threat exposure and human readiness. It also exposes a false sense of security among firms that may be improving their technological footprint without addressing their biggest vulnerability: people.

Meanwhile, 83 per cent of family offices said they’re concerned about deepfake or impersonation campaigns targeting executives or high-net-worth clients. The worry is justified. Generative AI has made it easier than ever to forge credible voice and video attacks that can bypass traditional verification processes and exploit trust at the highest levels of wealth management.

Legacy systems, lasting risk
Technology modernization is another area where family offices continue to lag their peers. More than two-thirds of family offices (67 per cent) admitted that their reliance on on-premises or legacy systems would hinder their ability to recover from a cyber incident. This figure is significantly higher than the 50 per cent average across the financial services spectrum.

Legacy environments are harder to secure and patch and often lack real-time visibility into emerging threats. For a family office, that means longer response times, slower recovery, and greater fallout if a breach occurs.

Many are beginning to modernize; survey data shows cloud adoption and network security among the top three IT budget priorities for 2026. But modernization alone isn’t enough. Without embedding security controls, continuous monitoring, and incident response (IR) planning into those projects, new systems can replicate old weaknesses under a new name.

Outsourcing remains an untapped advantage
Despite rising complexity, family offices remain slow to take advantage of managed security or co-managed IT partners. Only 8 per cent have fully outsourced cybersecurity, while another 22 per cent use a hybrid model.

Why the hesitation? Firms slow to adopt outsourced IT are often concerned about trust and control. But outsourcing can actually enhance control, providing access to 24×7 monitoring, dedicated security operations teams, and deeper regulatory expertise that most internal teams can’t match.

When asked what they value most in a partner, family offices pointed to around-the-clock threat detection (61 per cent), 24×7 help desk access (56 per cent), and fast response times and service level agreements (47 per cent) – precisely the capabilities managed security providers are built to deliver.

As cyber threats grow in sophistication, strategic partnerships can help family offices move from a reactive to a proactive security posture, closing gaps in both technology and talent.

Refocus for 2026: Make cybersecurity the center of the IT conversation
The data doesn’t show a lack of technology investment; it shows a lack of focus on the parts of IT that most directly protect investor trust and operational continuity. To regain balance, family offices should reframe cybersecurity as the foundation of operational resilience, not a competing budget line. That means prioritizing:

-- Employee readiness: Regular training and real-world phishing simulations to strengthen human defenses; 
-- Infrastructure modernization: Cloud migration paired with automated patching, threat detection, and robust backup protocols; 
-- Continuous monitoring: Moving from periodic scans to real-time visibility across endpoints, networks, and cloud platforms; and 
-- Strategic partnerships: Leveraging co-managed or outsourced SOC and MDR services to extend internal capacity.

These steps aren’t about spending more. They’re about spending smarter.

In a market built on discretion and trust, even a single cyber incident can undo years of reputation and relationship building. As family offices plan for 2026, the message is clear: technology investment without cybersecurity is not progress; it is risk deferred.

Read Omega Systems’ full survey report, The Survival Imperative: Cyber Resilience in Financial Services in 2025, here.