Cybersecurity: Closing the top service gap for family offices

In JP Morgan’s 2024 Global Family Office report, 40% of family offices identify cybersecurity as their top service gap. This concern resonates deeply with me, especially since the report also reveals that:

“24% report being exposed to a cybersecurity breach or financial fraud, even as more than one in five offer no cybersecurity services.”

This aligns with what I’ve observed after years in financial services and, currently at Opto Investments, where I work with our investment advisor and family office partners to address their unique needs. With our strong Silicon Valley heritage, we leverage technology to tackle every aspect of private markets investments—including critical cybersecurity coverage and data privacy concerns.

As Opto’s Chief Information Security Officer (CISO), I’ve spent nearly 20 years working at the intersection of technology and regulated industries. I’ve secured software for financial institutions ranging from bulge bracket Wall Street firms to the single-family office my Dad runs. More recently, I’ve worked on behalf of the US government, military, and intelligence agencies. Drawing on this experience, I want to share some general guidelines for family offices that are starting to address their cybersecurity risks.

Note: Every firm is different and faces its own unique challenges and risks. It is impossible to be completely secure. I strongly recommend consulting information security professionals (Opto’s advisory services group can make recommendations) to discuss your specific situation.

General Cybersecurity Guidelines for Family Offices

1. Know Who You Are Talking To

Humans are often the weakest link in cybersecurity. Hackers exploit trust and the natural inclination to help, using tactics like phishing emails or fraudulent requests for sensitive data.

For example:

  • An employee clicks a suspicious link in an email, exposing the system to malware.
  • Someone posing as a client or colleague requests access to sensitive data.

Adopt a culture of healthy skepticism:

  • Verify the identity of anyone requesting information. A video or phone call is often the best way to accomplish this!
  • Train employees to recognize phishing and other social engineering tactics.

2. Know Who to Call

Cyber incidents can escalate quickly. Having a response plan—and knowing whom to contact—can make the difference between containment and catastrophe.

Steps to take:

  • Maintain a list of key contacts, including internal IT leads, external cybersecurity consultants, and law enforcement.
  • Encourage employees to “See Something, Say Something.”
    Security issues get worse the longer they fester. Ensure employees know they are doing you a favor by identifying potential problems.

3. Know Your Cyber Assets

Understanding your digital footprint is critical to protecting it. Many breaches occur because organizations fail to account for all the systems and data they must secure.

Take inventory:

  • Identify all devices (e.g., laptops, phones), applications, and data repositories that your organization uses.
  • Utilize an endpoint security system to lock down devices quickly if stolen or lost.
    At Opto, we use Zip Security, which provides managed services and insights on top of typical tools for faster response.
  • Know who has access to what, and limit access to only what makes sense (see below).

4. Limit Access to Limit Blast Radius

Cyberattacks often succeed by exploiting unnecessary access. By limiting who can access critical systems and data, you can reduce the impact of a potential breach.

Best practices:

  • Apply the principle of least privilege: Give employees access only to the systems and data they need for their roles.
  • Do not repeat passwords:
    We use password managers, but even relying on a paper notebook is FAR better than reusing passwords.
  • Use multi-factor authentication (MFA) to add an extra layer of protection wherever possible.
  • Regularly review and update access permissions—especially when employees leave or change job roles.

Final Thoughts

Cybersecurity is a journey, not a destination. Every firm faces unique risks and challenges, which is why tailored advice is essential. While these general guidelines are a great starting point, I encourage you to consult professionals to craft a cybersecurity strategy that meets your specific needs.

Interested in learning more about what we’ve seen working well for our clients? Contact us to start the conversation.

For disclaimers, visit https://www.optoinvest.com/disclaimers.