The editors are pleased to share these views; the usual editorial disclaimers apply. To jump into the conversation, email tom.burroughes@wealthbriefing.com

Whether we talk about single- or multi-family offices, the private wealth sector has dragged its feet on implementing cyber defenses. A report from Dentons found that a quarter of North American family offices faced cyber attacks in 2023, and half knew of a firm that had been attacked. But only 31 per cent were considered to have robust cyber risk capabilities, and only 29 per cent felt that their cyber defense training was adequate.

What does it mean for a family office to be at cybersecurity risk?
In my opinion, the firms that are really ahead of the curve right now are the ones that understand that cybersecurity goes beyond protecting their business and client data. Cybersecurity is a concierge service that a well-equipped firm can offer to shield a wealthy family’s home, work, and digital lives from attackers.

If that sounds like a tall order…it is. The concentration of wealth among family offices, especially those that serve a single ultra-high net worth family, is like catnip to cybercriminals. There are hackers who devote their entire criminal careers to the infiltration and theft of these types of individuals and families. Worse, they have so many more vectors of attack to prey on these families. The Internet of Things has proliferated nearly every home with dozens of Bluetooth- and wifi-enabled lights, thermostats, smart speakers, security cameras, and other appliances. Each represents a connection to the internet and therefore another potential security fault.

Imagine explaining to your client that cybercriminals are ransoming part of their wealth because their refrigerator did not receive a firmware update!

Build your cybersecurity in-house
Instead, wise family offices make the full-time cyber protection of their clients a selling point, just as they might offer estate planning, insurance solutions, or other ancillary services to their private clients. The ideal family office is properly staffed with professionals who can establish virtual private networks, corral the internet-capable devices in their homes, properties and businesses, and highlight risks that clients may not have even known were present.

In order to do so, they have to decide whether to hire in-house cybersecurity staff or outsource this kind of full-time help. Both approaches have their costs and selling points, but a family office’s worst option is to do nothing.

You could argue that the cost of dedicated cyber defense isn’t worth the benefits. But the opportunity cost is not just the added risk to your firm and your clients . You may well lose your business to a competitor that sees bespoke cybersecurity as the differentiator it truly is.

Nor would I recommend marketing your existing IT services as comprehensive cybersecurity. No matter how good your IT staff are, you are essentially asking them to work two jobs. It's likely they already have their hands full maintaining the data integrity of your business, protecting you and your clients, and overseeing technology that supports a very highly regulated industry. Extending that role to keep track of the client's home and every part of their financial life outside of the business is not a winning proposition.

Or outsource your cybersecurity instead?
Instead, you might consider outsourcing the role. As with any outsourced service, there are advantages to paying someone else to do the heavy lifting. You immediately gain access to a wider range of expertise and technology than might be possible in-house. You will defer the final responsibilities of upkeep, risk, and ongoing education associated with cyber defense.

The costs of outsourcing versus in-house work are two sides of the same coin. Outsourcing means that your costs will be predictable, but in the long run, they will likely be higher than if you had built your cyber defense talent in-house. But establishing your own in-house team comes with steep, up-front costs in time and training. The right answer here will depend on how quickly you need to bring your services to a competitive standard, the money you have to spend, and your long-term business plans.

An in-house team comes with its own advantages, beyond potentially lower business costs in the long run. If you need an exacting degree of control over how IT infrastructure and data security are handled, in-house services are probably superior. You will gain full visibility of the external threats to your business and your clients’ finances, unfiltered by a third-party intermediary. It’s also likely that an in-house team will respond faster than an outsourced partner can, which can make all the difference in cyber risk events where seconds count.

But if you build your own team, you’re responsible for them. It will be on you to train and maintain the capabilities of an in-house team to stay ahead of tech trends and cybercriminals. You will have to nurture and protect the institutional knowledge of your team, just as you would for the advisors in your practice. If one of your cybersecurity experts leaves your firm, their successor would need to be able to take their place without missing a step.

You will have to make the final call on which cyber defense strategy makes sense for your family office. To be frank, any choice at all will put you ahead of the game. Private wealth clients deserve better than cyber protection as an afterthought. Meeting this need, and articulating the value of it, will go a long way to cementing your value in the eyes of the families you serve.