As part of the reports from last week's FWR family office forum on cybersecurity topics in New York, we carry the first of several panel discussions, hosted in this case by 360 Privacy.

The following discussion was held at one of the panels at the Family Wealth Report Family Office Cybersecurity Forum, held in New York. (See the first article about the discussions, here.)

The speakers at the panel were Tom Aldrich, chief revenue officer, 360 Privacy; Trinity Davis, managing director, 360 Privacy; Greg Sanfilippo, supervisor in the NYPD Shield program, Major in the US Army Reserves, and Justin Sellars, vice president private clients, 360 Privacy. (360 Privacy is one of the sponsors of the Forum.)

(Photo: Left to right: Greg Sanfilippo; Justin Sellars, Trinity Davis and Tom Aldrich.)

This panel, hosted by 360 Privacy, gathered real-world experience and lessons learned from security practitioners who have spent decades serving and protecting ultra-high net worth (UHNW) families and Fortune 500 enterprises. From protests which ended at the home of a family’s primary residence, to online threats and doxxing (and in rare cases even physical incidents), protectors and family office professionals are called upon to mitigate risks of all types.

Doxxing has been traditionally defined as the act of publishing personally identifiable information on the internet, typically with malicious intent. According to a recent study by SafeHome.org, approximately “4 per cent of Americans, or an estimated 11 million people, reported that they’ve personally been victims of doxxing attacks.” Additional metrics from that study point out that half of all victims claim that their home addresses were involved, and 20 per cent of those incidents involved information about their families. The most common side effects of doxxing were damage to professional reputation, physical safety risks, mental health impacts, and financial losses.

The panel first heard from Trinity Davis, who has spent over two decades managing operations and the overall protection strategy for UHNW families. Trinity described various incidents in his career where he was tasked with managing a crisis, which oftentimes began in the digital space and then migrated to the physical world. A large part of his successes and lessons learned came from a multi-layered approach to protection, including outside vendors to assist with personal information removal from the internet, leveraging free resources and managing relationships with local municipalities, and public-private partnerships. 

Through each experience, the panel also touched upon the importance of incident response, managing expectations and outcomes, and how communication with the families, executives, and offices evolved over time.

Justin Sellars and Greg Sanfilippo then expanded upon the public-private partnership piece by discussing a doxxing event that occurred in late May 2025. When a particular website came to the attention of 360 Privacy, Sellars and Sanfilippo began leveraging their networks to help crowdsource a solution for those effected. This URL, which at the time was not indexed by search engines, exposed the names, email addresses, phone numbers, and email addresses of over 1,000 companies and 23,000 individuals. The title of the URL had ties to the UnitedHealthcare incident which took place in December 2024. Through his extensive experience working with NYPD SHIELD, Sanfilippo helped introduce Sellars to the head of the FBI’s public-private partnership, Infraguard. Over the course of 72 hours, these teams were able to help with the removal of the website from public viewing and educate clients and concerned citizens alike on various proactive steps they could take to further “harden” their own digital footprints.

An often overlooked, though widely available resource, is a digital risk and/or vulnerability assessment. This can be done through a third-party who specializes in open-source intelligence work, or through an IRC Reg 132 assessment, which carries potential tax savings based on the risk tied to the executive(s) because of their title(s). To ensure thoroughness, it is recommended that these reviews include analysis of exposures on the open, deep, and dark web, with a particular focus on disclosure (and potential compromise) of personally identifiable information.

Outside of paid services, family offices also have access to free resources that can aid in reducing the overall exposure of personal information. Google recently introduced their “PII Removal Tool,” which helps de-index certain search results that are tied to data aggregator websites (think Spokeo.com, BeenVerified, WhitePages, etc.). The process is fully automated and, if the result qualifies under Google’s terms, the procedure takes less than 24 hours from start to finish.

At the state level there are also resources like the Safe At Home/Address Confidentiality Program. In New York, qualified individuals can take advantage of this program offered by the Attorney General’s office to obtain a unique, non-attributable physical address (oftentimes used for personal and professional purposes). In Suffolk County, homeowners can register for the Homeowners Watch List (HOWL). This free resource allows individuals, families, or family offices to “receive email notifications any time a deed or land record affecting their property is recorded and/or filed with the Suffolk County clerk.”

Lastly, registration and participation with public-private partnerships – Infraguard for example – can help assist teams and family offices alike in managing information, intelligence, and expectations during doxxing events. Partnerships such as NYPD SHIELD even have sub-groups within certain industries and verticals for information sharing and intelligence purposes.