Cyberattacks on family offices globally have become more commonplace, according to a report from Deloitte Private, with 43 per cent having experienced an attack in the last 12 to 24 months.

A quarter (25 per cent) experienced three or more cyberattacks, with the most common form of attack being phishing, which was reported by 93 per cent of victims.

More than a third (35 per cent) of those who had been on the receiving end of a cyberattack had seen a malware attack, while 23 per cent had experienced one relating to social engineering.

Of the family offices that have experienced a cyberattack, a third (33 per cent) had suffered some form of loss or damage as a result.

The most common consequences were operational damage, including the loss of data, and financial loss, which were experienced by 20 per cent and 18 per cent of victims respectively.

Despite the high prevalence of attacks, Deloitte found that 31 per cent of family offices do not have a cyber incident response plan in place.

A further 43 per cent said they had a plan but that it “could be better”, while just 26 per cent stated that they have a “robust” plan in place.

Deloitte noted that most family offices offer some ‘basic security measures’, such as strong passwords and multi-factor authentication (85 per cent) and data backups (73 per cent).

However, fewer family offices offer other basic measures, including cybersecurity staff training (58 per cent) and maturity assessments (34 per cent).

Furthermore, 50 per cent do not have a disaster recovery plan, 63 per cent do not have cybersecurity insurance, and 68 per cent have not adopted ‘know your vendor’ protocols.

More than a fifth (22 per cent) ranked cybersecurity as a top risk to their organisation this year, while 15 per cent said that strengthening cybersecurity was a ‘core priority’ for 2024.

Family offices in North America were the most likely to report a cyber attack (57 per cent), followed by Europe (41 per cent) and Asia Pacific (24 per cent).

Meanwhile, family offices with higher assets under management (AUM) were more likely to report an attack, as 62 per cent of those with AUM of more than $1bn reporting their cyberattack compared to 38 per cent of those with AUM under $1bn.

The data in Deloitte’s report was based on a survey of 354 single family offices from around the world between September and December 2023, overseeing an average AUM of $2bn.

---