Source: RSM US LLP.   


In today’s rapidly evolving cyber threat landscape, many ultra-high net-worth individuals and families are prime targets for carefully crafted cyberattacks.

Family offices, including virtual and single-family offices, can serve as unknowing gateways to sensitive data and personal information of family members due to their extensive financial dealings and relatively low maturity in cyber preparedness. In addition, family offices have a human element in their operational risk controls that can be leveraged by criminals. These vulnerabilities make them attractive targets to threat actors, who may not even need sophisticated hacking skills to compromise a family’s security.

Behind the numbers

Family offices typically work to keep a low profile, placing an understandably high value on privacy and discretion; however, this doesn’t make them immune to cybercrime. Consider these statistics released by the 2021 RBC/Campden North America Family Office Report:

  • Twenty-eight percent of family offices were targeted in cyberattacks over a 12-month period
  • Nearly one in three family offices said they feel ill-prepared to safeguard themselves against cyberattacks
  • Twenty percent of family offices lack a cyberattack response plan of any kind

RSM’s 2022 US Middle Market Business Index Cybersecurity Special Report, which leveraged data from over 400 senior executives at middle market companies, showed 45 percent of respondents had outside parties attempt to manipulate employees by pretending to be trusted third parties or company executives. Twenty-seven percent of these companies ultimately suffered cybersecurity attacks.

Social engineering threats to watch out for 

Threat actors can come from inside or outside the family office and use social engineering tactics to take advantage of unsuspecting targets. To aid in their manipulation, threat actors may harvest family and staff members’ personal information from open and closed sources to access public and private data.

In our experience working with affluent clients across their family enterprise to help mitigate cybersecurity risk, we have found it critical for family offices to regularly monitor for all types of social engineering attacks, including:

  • Brute-force attack: A hacking method that uses trial and error by submitting many possible permutations to crack a victim’s account passwords and login credentials.
  • Dictionary attack: Threat actors will leverage a victim’s social media profile and other personal information gathered through open sources to generate a list of potential key passphrases.
  • Purchase on the dark web: Credentials exposed in third-party breaches are made available for sale on dark web marketplaces for threat actors to use maliciously.
  • Pretext attack: A target is manipulated into divulging personal information under false pretenses.
  • Phishing: A threat actor utilizes a spoofed message to trick a target into revealing personal information.

As a precautionary measure, family offices may want to consider performing a cybersecurity assessment to get a holistic view of potential risk. When there are data security concerns specific to a family member, consider a threat intelligence investigation to identify sources of exposure. If the family member is a key member of the family office enterprise, we recommend widening the scope of the investigation to include immediate and extended family members, as personal information is often exposed through innocent third parties.

The investigation should consider assessing open sources, such as social media, news platforms, people-search websites, location services, and public records. Searches should also extend to closed sources of information, including dark web marketplaces, underground forums and chatrooms, and other non-indexed web content.

Sensitive data exposure vulnerability

Threat actors are always on the hunt for personal information. In our experience working with family offices, personal information of family members can often be obtained simply by searching online for:

  • Current and past addresses
  • Full names, nicknames, and birthdates
  • Education history and current attendance
  • Job history
  • Social media accounts
  • Public storage accounts

It can become especially cumbersome to keep the above data safe, especially when you consider the role mobile devices and social media play in our lives. Keep in mind that many platforms make a profit from sharing your information.

What can family offices do to protect personal information from getting in the wrong hands? Practice good cyber hygiene by regularly performing:

  • Data monitoring—Conduct an inventory audit of each family member’s personal and affiliate information available on open and closed sources.
  • Data takedowns—Request to remove personal information exposed on open-source websites.
  • Security controls review—Work with family members to prevent unnecessary information exposure and implement security controls for social media accounts.
  • Training—Provide awareness training, including phishing exercises, to help educate staff and family members on how to protect their data.

While there are simple steps that family offices can take to safeguard sensitive information, RSM can help take them further by designing and executing a holistic cybersecurity strategy to effectively manage risk across the family enterprise. This strategy may consist of multiple measures, including general cybersecurity assessments and forensic analyses that evaluate the integrity of systems such as internal and external communications, billing and payment systems, integrated technology, and third-party relationships. Taking proactive security measures that consider users, devices, networks, and data is the best defense against becoming another cyberattack statistic.

This article was written by Rob West, Maddie Lazas and originally appeared on 2022-12-15.
2022 RSM US LLP. All rights reserved.


RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.