Latest RSM research shows growing cybersecurity risk for family offices

RSM US LLP research from two separate reports shows the threat environment has become more challenging for companies that lack adequate enterprise risk management inclusive of protective measures amid an ever-evolving digital ecosystem that increases attack risk—family offices (FOs) are no exception. 

FOs of every size and type can serve as unknowing gateways to sensitive data and personal information due to their extensive financial dealings and relatively low maturity in cyber preparedness. These vulnerabilities make family offices attractive targets to threat actors who may not even need sophisticated hacking skills to compromise an organization’s security.

Developing a comprehensive cybersecurity approach is a strategic imperative for FOs to protect the enterprise and outmaneuver bad actors in an ever-evolving digital ecosystem that increases attack risks. 

Data breaches are on the rise amid cybersecurity complacency

The RSM US Middle Market Business Index (MMBI) Cybersecurity 2024 Special Report presented insights from a survey of 403 middle market executives at companies with up to $1 billion in revenue. The survey was conducted online from Jan. 8 to Feb. 16, 2024, on behalf of RSM by The Harris Poll. The insights suggest that many of these companies, from across a broad range of industries, have become complacent about cybersecurity amid fatigue after consistently hearing about risks and attacks for several years. 

Meanwhile, according to RSM data, reported breaches over a recent one-year period matched a high seen only once before in nine years of data collection by the firm. Certainly, the threat environment is more challenging now as generative artificial intelligence (AI) and other new technologies continuously change the landscape.

An alarming statistic from the report is that 28% of the middle market executives surveyed said their organizations experienced a data breach in the last year, rising from 20% in the 2023 survey and matching 2021 results. Even as breaches were up, 95% of survey respondents remained confident in their current security measures. 

The 2024 report noted a record-high number of companies that carry a cyber insurance policy (76%) and respondents that made a move to the cloud due to security concerns (55%). But while 37% of executives said cybersecurity will get an increasing share of the organization’s revenue, more than 60% of these decision makers also said they have two or fewer dedicated data security or privacy employees.

Protecting the enterprise weighs heavily on family offices

Similar to our cybersecurity report findings, data from the 2024 RSM Family Office Operational Excellence report shows a growing cybersecurity threat to FOs.

The report presented insights from a survey of 100 family offices across the U.S. and Canada, and was conducted from Aug. 14 through Aug. 22, 2023, using a sample provided by the Gerson Lehrman Group. The report highlighted key trends in digital transformation and cybersecurity—and revealed the threat of a cyberattack or data breach weighs heavily on FOs.

In fact, the majority (83%) of respondents from single-family offices (SFOs) cited a cyberattack or data breach as their biggest operational risk. One FO respondent went so far to say data theft is the biggest challenge of our time. To understand why, RSM interviewed a FO chief financial officer, who explained that the complexity of a FO, and the fact that many don’t have the governance or enterprise risk management strategies that are expected from a public company, makes them particularly vulnerable to cyberattacks.

Regardless of FO size, respondents ranked business disruption as their next biggest concern after a data breach or cyberattack. While only a small percentage (12%) of SFO respondents said their FO experienced a cyberattack in the past 12 months, the number of attacks was higher (20%) for midsize FOs. Nonetheless, most SFO respondents said they were only somewhat confident (71%) when asked about their FO’s ability to prevent a cyberattack.

Staying ahead of emerging cyberthreats

Hackers are persistent and will take advantage of any vulnerabilities or control gaps in a FO’s defenses. Potential threats loom for those lagging in cybersecurity budgets, IT staffing and in leveraging advanced technology such as using cloud-based systems to safeguard sensitive data in a hyperconnected world. 

In RSM’s experience working with affluent clients across their family enterprise to help mitigate cyberthreats, we have found it critical for FOs to take a holistic approach to cybersecurity risk management. An effective cybersecurity program takes into consideration people, processes, data and technology.

Like most companies, FO operations are becoming increasingly sophisticated and dependent on technology; however, IT personnel may struggle to keep up with emerging technologies and system upgrades. Not surprisingly, 62% of the family office survey respondents said they find delivering best-in-class technology in-house to be challenging. 

Complicating matters, remote and hybrid work habits have decentralized control and effectively created a larger attack surface for FOs. It can become especially cumbersome to keep sensitive data safe, especially when you consider the role mobile devices and social media play in our lives. Keep in mind that many platforms make a profit from sharing your information. With companies becoming more digital every day and the potential attack surface expanding, FOs often don’t have enough internal resources to cover evolving risks. 

RSM’s cyber teams work with FO executives and key stakeholders to identify sensitive or revealing personal information on the web. The analysts investigate search engines, social media platforms, people-searching websites and other data aggregators. Even if a staff or family member does not engage in social media or keeps their profile private, their personal information still may be inadvertently shared through the online activity of others, without their consent or knowledge. In one instance, RSM identified a photo storage blog owned by a family member through the investigation of search engine results, containing photos of sensitive documents, including medical records, loan and tax information, a driver’s license and more. The owner of the photo repository was unaware that its content was accessible for public viewing, reinforcing the need to diligently inventory one’s presence on the open web.  

Outsourcing as a cybersecurity strategy

Creating an effective cybersecurity approach is not optional for FOs, as suffering a cyberattack can have a harmful ripple effect across the enterprise. But small internal security groups that are typical of FOs can feel overwhelmed and outnumbered as they contend daily with criminals from countries around the world.

In response to today’s evolving challenges, managed security services solutions have become a critical strategy to establish or augment a security strategy that can stand up to modern threats. The strategy involves outsourcing the activities of maintaining and proactively planning for cybersecurity risk management as a means to increase operational efficiencies and reduce costs. The growing adoption of outsourcing is a noteworthy stat in the family office report, with 97% of SFO respondents indicating they leveraged external service providers in the past 12 months.

When selecting a managed services provider, consider their cybersecurity credentials within an FO environment. Ideally, the provider’s breadth of services should span the entire family office enterprise and include cross-border capabilities. 

The takeaway

Cybersecurity attacks are elevated and potential threats loom, leaving FOs at substantial risk. The latest RSM research shows that many companies have become complacent about cybersecurity amid fatigue after consistently hearing about risks and attacks for several years. But hackers are persistent and will take advantage of any vulnerabilities or control gaps in an organization’s defenses.

As part of a comprehensive enterprise risk management assessment, FOs should evaluate their cybersecurity strategies to resist and respond to attacks and take advantage of opportunities to strengthen their protections. One solution is to leverage managed security services to build or augment existing cybersecurity risk management programs. Look for a qualified managed security services provider with FO experience and expanded capabilities to safeguard the entire enterprise.