Closing Cybersecurity Gaps in Family Offices

Filling in the vulnerabilities: identity, vendors, and recovery

Closing Cybersecurity Gaps

Executive Summary

Family offices, trusts, and law firms that work with very wealthy clients are at the top of the global wealth pyramid and have a lot of private information. Surveys, however, show that they are still surprisingly vulnerable. For example, Deloitte found that 43% of family offices around the world have been the target of a cyberattack in the last two years, with half of them suffering multiple breaches. Alarmingly, only about 10–12% of these organizations feel safe. This white paper looks at the main weaknesses that make family-sector entities easy targets, such as weak identity and access controls, old IT systems, unmanaged third-party access, and untested incident recovery. It also gives specific, actionable advice on how to fix these problems. In each section, the best practices and controls for identity management, vendor access governance, and resilience testing are explained. The advice is for high-level executives (CEOs, CIOs, CFOs, IT and risk leaders) who need to set policy and allocate resources to keep global and European family offices, trusts, and law firms safe from new threats. We use real-life examples and expert survey data throughout to show what is at stake and help with making strategic decisions.1

The Family Office Threat Landscape

Family offices and similar businesses have a unique and quickly growing cyber risk profile. These groups handle huge portfolios that are often spread out around the world and private information that is very valuable to hackers and state-sponsored actors. But because of their culture and structure, many people are not safe enough. For example, an industry survey found that only 11% of family offices say they are "very well protected," while 12% say they are "not protected at all."3 A Citibank report found that only 11–12% of respondents thought their cyber risks were "very well managed," which is much lower than their confidence in managing investment or reputation risks.4 This disconnect shows that some family office leaders are complacent and think their internal trust culture or personal profile protects them. In fact, experts say that "cybersecurity is the number one risk that family offices are not prepared for." Wealth itself draws attackers: organized crime groups see cybercrime as more profitable than the global drug trade. In Europe, family offices have to follow strict data privacy laws (GDPR, Switzerland's FADP, etc.), which makes any breach even more serious. Compliance also necessitates stringent controls over personal data and transnational flows. European wealth centers like Zurich, London, Luxembourg, and others are also prime targets because they are home to high-profile families and their advisors who have valuable information. The 2024 Deloitte cyber report on family offices says that cybersecurity worries are "very important" to executives, but they do not put their money where their mouth is.

In practice, many family offices have complicated structures that span multiple jurisdictions, similar to law firms and trusts. These structures often include holding companies or layered trusts, which make it hard to keep an eye on everything. While these can legally protect assets, they also make it easier for attackers to get into more systems and entities.

In short, family offices are good places to make money and easy to attack. Recent surveys show that breaches at family offices are very common. One survey found that more than 20% had been attacked in the past year.9 Even worse, attacks are often successful; credential theft, social engineering, and ransomware are all common ways to attack. A study of law and finance firms found that in 2024, the average amount of money demanded by ransomware was more than $500,000 per incident. Even though there have not been any publicized incidents, stories from inside the company suggest that things are happening quietly. The combination of high stakes and weak defenses calls for immediate action.

Family Office's Main Weaknesses

Security for Computers

Family offices and similar businesses often have the same problems with cybersecurity over and over again:

Weak controls for identity and access

A lot of small businesses still only use passwords to prove who they are. They often do not have multi-factor authentication (MFA) on important systems or email, and they use shared or unmanaged accounts and do not have any automated identity management. This makes it easy for attackers to get into accounts. MFA is still not very common outside of big companies around the world (only ~27–34% of companies use it).11 and over 99.9% of breached accounts had no MFA enabled.12 In practice, family office staff and advisors often write down or reuse passwords and may not check who has access to important data on a regular basis.

Old infrastructure and patching

A lot of offices have old servers, workstations, or specialized software that is not well cared for. Family offices may put off software upgrades and security patches because they are too expensive or too hard to do. This means that known weaknesses are still there. For instance, WannaCry (2017) and NotPetya (2017) were global ransomware attacks that took advantage of unpatched enterprise systems, bringing down healthcare, manufacturing, and even government services around the world.13 In family offices, unpatched email servers, file shares, or even cloud misconfigurations can make it easy for hackers to get in. Old hardware, like old network firewalls or unsupported OS versions, also do not have modern security features like encryption and endpoint security, which makes the gap even bigger.

Unmonitored Access by Vendors and Third Parties

Family offices often hire other companies to do things like accounting, IT support, and managing their portfolios. Every vendor or advisor with access to the network adds risk. Recent news in the industry reports stress that "cyber threats often come in through third parties."14 If a trusted service provider is hacked or set up wrong, it can give attackers a way in. The family office's network. The SolarWinds breach in 2020 showed how hackers can get into hundreds of businesses through a software vendor. Family offices also depend on a loose network of advisors and consultants; without centralized governance, vendor accounts can stay active long after they are needed, giving attackers a lot of room to work. Not keeping an eye on or checking up on vendor accounts that do not keep track of when they log in or what they access could allow bad behavior to go unnoticed.

Incident Response and Recovery That Has not Been Tested

A lot of companies do not have a formal incident response (IR) plan or a way to test backups. "Paying to make it go away" is a common situation where offices only spend money on security after a breach. Without a pre-defined IR plan, initial reactions can be chaotic. There is a specific gap in data recovery. Even companies that have backups do not always check them. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says that you should "keep offline, encrypted backups of your data and test them often."15 Family offices may have backups (like to a local NAS or the cloud), but they may never have done a full restore test. If ransomware strikes, a backup that has not been checked could be lost or not complete, which slows down recovery and makes people pay ransoms. In a hurry to respond, important roles and contacts for crisis management are often not written down. The result: important hours of delays and possible data loss when something goes wrong.

Making Identity and Access Stronger

One of the most common and exploitable gaps is weak identity controls. Administrators often give users too much access or forget to turn off access for former employees. Credentials that have been compromised are present. Phishing and password theft are two of the most common ways for attackers to get in if there is no MFA.

Problems

In small offices, several family members and advisors may have access to the same accounts or be able to share them. People often have local admin rights or access to databases that they shouldn't. Password policies might not be very strict (for example, there might not be any enforced complexity or rotation). Email accounts, which store client data and are used to send wire instructions, do not often have hardware tokens or app-based second factors. Data and wire transfer instructions are sent over the internet, but they do not often have hardware tokens or app-based second factors. According to a 2025 JumpCloud survey, only 27% of very small businesses use MFA.18 Also, accounts that are no longer active (like a portfolio manager who left months ago) often stay live. So, even if that account is hacked, it still lets you into current systems. The ThreatIntelligence report on law firms shows this: "weak passwords, lack of multi-factor authentication (MFA), [and] deficiencies in network segmentation" were common in breach aftermaths.19 We see the same patterns at family offices.

Suggestions

  • Multi-Factor Authentication (MFA): Make sure that MFA is required on all important and external systems, such as email, VPN, and cloud consoles. Even basic MFA stops about 99.9% of automated credential attacks.20 Use authenticator apps or FIDO keys instead of SMS, which can be hacked by SIM-swapping. Give family principals or trustees hardware tokens with a lot of power.
  • Least Privilege and Role-Based Access: Set up roles like "investment analyst," "family trustee," and "legal counsel" and give them the right permissions. Do not give any user more access than they need to do their job. Check permissions from time to time to get rid of rights that are not needed. Use separate "view-only" and "transact" accounts for very sensitive data, like wire authorization systems, so that credentials cannot be used for anything else.
  • Single Sign-On (SSO) and Directory Services: Use a central directory, like Azure AD or on-premise LDAP, to manage user identities. SSO can make managing credentials easier (fewer passwords to remember) and make MFA enforcement easier. When someone quits or changes jobs, deprovisioning happens in one place, which turns off all services that are connected to that person at once.
  • Privileged Access Management (PAM): For administrative accounts like server/AD admins and C-level financial accounts, think about a PAM solution that requires check-out of one-time use credentials or privileges. This stops people from phishing those accounts or using them in the wrong way forever. Always use MFA on accounts with special access.
  • Password Hygiene: Make sure that passwords are strong (in terms of length and complexity) and change them when you can. Teach all employees not to do things like writing down passwords. Use enterprise password managers so that you can safely get to a password even if it is unique (no sticky notes).
  • Logging and Monitoring: Turn on audit logging for identity systems. Keep an eye out for strange logins, like ones from new devices or ones that do not match up with your location. Many IAM platforms come with built-in risk analytics that let you know when something strange happens. The team can look into something strange right away, like a login from another country at 2 a.m.
  • Onboarding and Offboarding: Give new users (family members, employees, vendors) temporary access to their accounts until they have been checked out. Most importantly, when someone leaves, you should immediately cancel or change their account. Keep an up-to-date list of all active users who can access each system.
  • Periodic Access Reviews: At least once a year, have a security committee or the leadership check all access rights. Check against current roles. This keeps dormant accounts from hiding out for a long time.

These IAM steps are not just one-time projects; they are things that need to be done all the time. Policies should make it clear that all user access needs MFA and that passwords must be changed every 90 days, etc. And most importantly, leaders must make sure it happens. If a trusted partner does not want MFA, the office still has to insist or get a new tool.

Updating Infrastructure and Patching

Old systems and bad patch hygiene are a ticking time bomb. Family offices sometimes use software that is decades old, like legacy trust accounting tools or in-house utilities, which hackers can easily take advantage of. In one well-known case, a small business's old Windows Server was hacked through a flaw that could be patched, allowing attackers to drop ransomware. The business did not have any recent backups and had to pay to get the files back. Whether servers are on-site or in the cloud, unpatched vulnerabilities are a common way for malware and data theft to get in.

Problems

Upgrades can be put off because of a tight budget or fear of downtime. Some offices even use Windows 7 or older versions of Windows Server because their custom apps need them. If you do not keep your software up to date, any known security hole (like Exchange vulnerabilities or Citrix flaws) is fair game. A lot of them also do not divide up their network. If a legacy file server is hacked, an attacker can move laterally to other important assets without a firewall in the way.

Advice

  • Patch Management Program: Set up a strict schedule for patches. Use managed tools like WSUS, Intune, or cloud patch services to automatically install patches on servers and computers. If you do not have Windows, sign up for the software vendor's updates channel. Make patching a top security priority. For instance, important Windows patches should be installed within days, not months, of their release. "Keep calm and patch on," said one bank CEO.21
  • Upgrade or Replace Unsupported Systems: Any system that is no longer supported (like Windows Server 2012, Windows 7, or old VPN appliances) should be replaced. If you cannot replace it right away, keep it completely separate (for example, put it in a separate VLAN that cannot connect to the Internet except for updates). Even better, plan to move these kinds of services to platforms that are supported. For instance, move mailbox servers that are on-premises to a cloud mail service, or get rid of an old accounting app in favor of a new SaaS solution.
  • Network Segmentation: Break the network up into zones. For example, keep the client data systems separate from the office computers and any services that are open to the public. Firewalls or VLAN rules should only let traffic between zones that is absolutely necessary. This way, if one part is broken into, it does not automatically put the whole network at risk.
  • Endpoint Protection: Even newer PCs and servers should have good endpoint protection (antivirus/EDR) installed. Make it update automatically and keep an eye on it from one place. A few family offices are hesitant to put any agents on devices, but doing so helps catch malware early.
  • Cloud and Virtualization: Think about moving the right workloads to cloud platforms that are well-managed. Cloud providers often include built-in security and patching. At the very least, use virtualization (VMware, Hyper-V) to make it easy to take snapshots and roll back in case of problems. Make sure that MFA and limited access protect the cloud accounts themselves.
  • Regular Vulnerability Assessments: At least once a year, run vulnerability scans or pen tests to find weak spots. A number of consulting firms do penetration testing packages made just for small businesses. Fix any missing patches or open ports right away if scans show them. Many insurance companies now require vulnerability scans at least once a year as a condition for cyber coverage. CISA says that "good cyber hygiene",which includes patching and backups,"keeps your network healthy."22

In practice, you should keep track of all your assets, such as workstations, servers, routers, and IoT devices so that nothing gets missed. Automated asset management tools can mark devices that do not follow security rules, which makes it easier to enforce them. Do not forget that modern cybercriminal toolkits often take advantage of known weaknesses quickly. One system that has not been patched can put the whole company in danger.

Access for Vendors and Third Parties

Compromise by a third party is now one of the main causes of breaches. Family offices depend on a lot of outside people, like IT support companies, financial advisors, cloud providers, law firms, and others. Each one is a possible way to attack. According to some sources, 42% of companies say they have had a breach at a vendor they rely on. Attackers are aware of this and are increasingly going after smaller service providers whose security is not as strong.

Problems

A lot of family offices give any consultant a VPN or remote desktop account, sometimes with a lot of rights and no end date. Vendors sometimes share staff members’ accounts, which makes it impossible to figure out who did what. To make matters worse, there is often no official way to check a new vendor's security practices. A deal might say something about privacy but not require insurance or security audits. When things go wrong, family offices often find out too late when a vendor has a breach because they cannot see the vendor's system.

Suggestions

  • Keep a list of all third-party access: Keep a list of all the vendors or consultants who have any level of access to your IT environment, including the cloud, networks, and physical offices. Keep track of what they access and how they do it. Do not let personal or unmanaged email addresses have access; only use corporate emails that you control.
  • Least-Privilege Vendor Accounts: Only give vendors the bare minimum access they need, just like you would with your own staff. If a cloud system allows, put vendors in the "external consultant" user group on the platform. Do not give vendors the same login information; instead, give each vendor-representative their own username and password. Also, use multi-factor on their accounts. Use Just-In-Time (JIT) access if possible: set it up so that vendor accounts are turned off by default and can only be turned on for a short time when needed.
  • Security Clauses in Contracts: All service contracts should require vendors to meet minimum security standards. For instance, contracts can require that ISO 27001 or SOC 2 compliance be demonstrated, proof that their employees have received security training, and the right to audit. They should make it clear that they will report any unauthorized data breaches by the vendor right away and that their insurance will cover them. Get legal help to add standard data protection clauses to all contracts. If a security breach happens, you should have the right to end the contract.
  • Regular Vendor Risk Reviews: Look at vendor risk again every year or so. Important questions: "Has the vendor's security changed? Have they done any incidents? Have their workers changed?" For important vendors, think about using questionnaires or even audits on-site, depending on how risky they are. Use risk scores to choose which vendors need more careful supervision. It is a good idea to make sure this matches up with procurement: any vendor over a certain risk or spending level requires a formal security review.
  • Monitor Vendor Activity: Make sure that vendor activities are recorded. If vendors use RDP, VPN, or other tools to access your system from a distance, you should keep logs of their sessions and look at them from time to time. If you can, limit vendor access to certain parts of the network and use firewall rules to control what they can do. Routing all third-party remote sessions through a bastion host or jump server that records the activity is becoming a best practice. This lets you see what happened after the fact.
  • Emergency Offboarding: Have a way to quickly take away a vendor's access when necessary (for example, when a project is finished, a contract ends, or there is a suspicion of compromise). The process should be as quick as shutting down an internal user's account. Some companies automate this by connecting their contract management systems to their IT systems. This way, when a contract ends, all related accounts are automatically turned off in the database.

"Cyber threats often enter through third parties," so it is important to treat vendor governance as an ongoing security function. Checking references during onboarding is not enough; you need to keep an eye on them all the time. In real life, companies might set up a vendor governance committee made up of people from IT, legal, and finance that meets every three months to go over risks from third parties. If you use vendor IT support, for example, that provider should be tested for security holes and must tell you about any red teams or attacks it sees. Limiting vendor risk often means making trade-offs, like paying more for a service that has been SOC 2-audited. These are reasonable insurance costs for protecting family wealth worth billions of dollars.

Getting Ready for and Recovering from an Incident

There is no perfect defense. A mature family office's security plan should include the possibility of a breach and plan for it. The goal is to find the problem quickly, limit the damage, and get operations back up and running with as little data loss as possible.

Problems

A lot of family offices do not have a formal incident response (IR) plan. If there is an attack, the staff might not know who to tell (CISO? CIO? legal counsel? law enforcement?). There is often confusion about roles and communication, both inside and outside the organization. Backup and recovery processes are usually not very formal. One bad process might be "we copy all files to tape or the cloud every night and hope they restore." But without testing, no one knows if those backups can be restored on live systems or if they have been quietly damaged by a virus. After a breach, companies that do not have a tested recovery plan could be extorted or face long periods of downtime.

Suggestions

  • Written Incident Response Plan: Write a short IR plan that gives people specific jobs (incident commander, legal, PR, IT leads, family liaisons) and people who can make decisions. It should list the steps for initial containment, investigation, family notification, and reporting to the government. Practice situations like "a major ransomware encrypts email servers" or "a stolen hard drive with client data." Tabletop exercises (even just half a day) can show where communication is weak. The Morgan Lewis guide says that an IR plan should include "roles and responsibilities, communication strategies, and recovery procedures."25
  • Regular Backup Testing: CISA says, "backing up is your best bet," but it is very important to test your backups.26 Plan at least one full restore to a test environment every year. Make sure the restored system starts up and that the data is safe. If you can, keep an unchangeable or offline backup copy (on tape or in a separate cloud) to protect against ransomware that encrypts backups. Follow the "3-2-1 rule": Store at least three copies of your data on two different types of media, with one copy stored offsite and offline.
  • Business Continuity Planning: Find out which of your applications are the most important (like trading, fund accounting, and communications) and write down what they need to get back up and running (Recovery Time Objective and Recovery Point Objective). Have backups, like if your main email goes down, do you have a secure email account for urgent trustee communications? What manual workarounds are there if trading systems are locked? You should practice these steps in drills that pretend there is a system outage.
  • Detection and Monitoring: Get tools that can find problems early on. A simple example: file integrity monitoring on important system directories to catch unauthorized access. You can also use SIEM or log aggregation to look for known attack patterns (multiple failed logins, antivirus alerts turned off, and uploads of stolen data). Alerting helps close the gap between a breach and a response. For offices that are smaller, managed detection services (MDR) can do this job for a low cost.
  • Cyber Insurance Alignment: If you have cyber insurance, make sure the insurer is involved in the incident early response team (many policies include IR consulting). Make sure the policy covers costs for forensic work, legal fees, and, if necessary, public relations. One Risk Strategies analysis says that policy terms often include "incident response support: immediate access to forensic consultants and legal advisors," which can be very helpful.27 Verify coverage matches your real risk profile (for example, some policies have low sublimits for extortion, which might not be enough for a big demand).
  • Always Improving: After any event or drill, do a "post-mortem" review of what was learned. Make changes to the IR plan and controls based on what was missing or not working. A stale IR plan will not help you in a crisis, so keep it up to date and written down.

A family office changes cybersecurity from an "if" to a "when" position. It is much more expensive to lose time because of confusion or broken processes than it is to invest in drills and readiness. Keep in mind that advanced attackers can stay in networks for a long time without being found; strong monitoring and a quick response can mean the difference between a small breach and a huge loss.

Culture, Training, and Governance

Technology alone will not fix the security hole. The leaders need to create an environment where people are always on the lookout. This means making cybersecurity a strategic priority and not just an optional expense. CEO and board involvement is important: reporting cyber risk at the board level makes sure it is given the same amount of attention as legal or financial risk.

In practice

  • Getting Leaders on Board: Executives should get regular updates on cyber trends and the security of their office. Metrics, like the percentage of patched systems or the number of phishing emails, help show how far you have come. Running simulations and checking how long it takes to recover from a backup test are two ways to show progress. A simple metric could be "time to restore critical servers from last known good backup." This shows how different tested and untested recovery plans are.
  • Clear Policy: Make sure your security policies (acceptable use, device management, reporting incidents and classifying data) are short and clear. A short handbook or intranet page that lists what to do and what not to do can help even small offices. For instance, a policy could say that no one is allowed to store client personal data on their own smartphones. Breaking the rules should be dealt with right away, no matter who does them.
  • Training and Awareness: Employees, family members, and managers should all get personalized cybersecurity training at least once a year. Some of the topics are recognizing phishing emails, social engineering threats (like caller ID spoofing), device security, and how to tell someone about something you think is wrong. Family offices often do not see this need because team members know each other well, but attackers use that trust against them. At least once a year, it is a good idea to run a phishing simulation to see how aware people are. This will show you who clicked on a fake malicious link.28
  • Clear Escalation Paths: Because these groups are so close-knit, there may be uncertainty about "whose job" security is. Choose someone inside the company to be in charge of security (it could be the CIO or a senior staff member) and give them the power to enforce controls and bring problems to the attention of top management. If there is not one today, as surveys show, only about 15% of offices have a cybersecurity lead,choose one. This person talks to any outside managed service providers and makes sure they do what they say they will.
  • Protecting Social and Physical Vectors: Keep in mind that cyber risk is a part of overall safety. Offices should be in charge of who can physically get to servers and workstations, and think about the safety of the principals (some family offices work with private security teams). Easy things like screen privacy filters and requiring screens to lock after a few minutes of not doing anything help. Also, teach your family members about sharing too much on social media. One consultant said that sharing real-time locations on fitness apps inadvertently helped stalkers and cyber-extortionists.29
  • Following the Rules: Make sure that data protection laws (like GDPR or local data laws) are part of security policies. This means that breach notification procedures must follow the law's time limits (for example, GDPR says they must be done within 72 hours). Some offices may deal with data from outside the EU, like trusts in Jersey or Switzerland, but when EU clients or data are involved, GDPR usually kicks in. Even if you do not have to, you should name a data protection officer (DPO). A DPO can help keep things in line even when they are outsourced.

Final Thoughts

Family offices, trusts, and law firms that work with wealthy clients have a lot of information and property, and hackers know it. The way forward is clear: treat cybersecurity as a company-wide problem and fix the holes one by one. This means putting into action strong identity controls (especially MFA and access reviews), fixing old technology with proactive patching, strictly controlling all third-party access, and practicing how to recover from an incident. You cannot do these steps all at once, but you need to make them a priority. Not doing anything is much riskier: almost half of family offices have already been hacked,30 and every day that goes by without strong defenses and tested backups makes it easier for another breach to happen.

The experts we talked to and the industry guides we looked at all agree on the same advice. For instance, attackers at law firms often take advantage of "weak passwords, lack of multi-factor authentication, [and] absence of security monitoring",all problems that can be fixed.31 Morgan Lewis says that cybersecurity "should be thorough and proactive, aimed at safeguarding assets and personal and financial information."32 In the same way, Dentons stresses the importance of closing the gap between risk awareness and action: 71% of family offices expect attacks, but only 31% have mature risk processes in place.33

By putting in place the controls and frameworks listed above, family office leaders can greatly increase their security baseline. The first step is to be honest about where you are: an independent security audit or "health check" of systems can find weaknesses that are not obvious. After that, set aside money for the defenses that cost the least, such as MFA and backups. Training staff often gives a high return on investment. Leadership must make sure that everyone involved, including family members, employees, and service providers, thinks in terms of "secure by design."

In short, keeping family wealth safe in the digital age is a long-term, strategic problem. Gaps that exist today are invitations for thieves tomorrow. Family offices can close those gaps and protect assets from today's and tomorrow's cyber threats by having clear rules, using modern technology controls, and following tried-and-true plans.

Endnotes

  1. Deloitte. Cyber Report for Family Offices in 2024. Insights from Deloitte, 2024.
  2. A. Al-Enazi. "Family Offices Must Prepare for Cyber Security Threat." Professional Wealth Management, 2025.
  3. Ibid.
  4. Crabb, J. "Family Offices Are Not Ready for Cyber Threats." Institutional Investor, 2025.
  5. Ibid.
  6. Strategies for Risk. "How to Protect Your Family Office from Cyberattacks." Risk Strategies Blog, 2024.
  7. Deloitte. Cyber Report for Family Offices in 2024. Deloitte Insights, 2024.
  8. Brooke Harrington. Capital Without Borders: Wealth Managers and the Top One Percent. Harvard University Press, 2016.
  9. Dentons. The Changing Risk Environment for Family Offices: A Cybersecurity Survey. Dentons Global, 2024.
  10. Gilmore, D. "Inside the Breach: Real-Life Tales of Law Firm Hacks." Threat Intelligence, 2024.
  11. Ozsahan, H., and D. Worthington. "2025 Statistics for Multi-Factor Authentication (MFA) Trends to Know." JumpCloud, 2025.
  12. Ibid.
  13. The Society of Law. "65% of Law Firms Have Been the Victims of a Cyber Incident." Society Blog, 2024.
  14. Atlas Systems. "Vendor Governance Framework: Best Practices for Security." Atlas Systems Blog, 2024.
  15. CISA. "StopRansomware,Backing Up Is Your Best Bet." U.S. Cybersecurity and Infrastructure Security Agency.
  16. Morgan Lewis. The Basics of a Good Cybersecurity Plan for a Family Office. Morgan Lewis Insight, 2024.
  17. Al-Enazi, A. "Family Offices Must Prepare for Cyber Security Threat." Professional Wealth Management, 2025.
  18. Ozsahan, H., and D. Worthington. "Statistics and Information on Multi-Factor Authentication (MFA) in 2025." JumpCloud, 2025.
  19. Gilmore, D. "Inside the Breach: Real-Life Tales of Law Firm Hacks." Threat Intelligence, 2024.
  20. Microsoft Security. "Multi-Factor Authentication Stops 99.9% of Account Hacks." Microsoft Security Blog, 2023.
  21. CISA. "StopRansomware,Keep Calm and Patch On." U.S. Cybersecurity and Infrastructure Security Agency, 2023.
  22. CISA. "StopRansomware,Backing Up Is Your Best Bet." U.S. Cybersecurity and Infrastructure Security Agency, 2023.
  23. Dentons. The Changing Risk Environment for Family Offices: Cybersecurity Survey. Dentons Global, 2024.
  24. Atlas Systems. "Vendor Governance Framework: Best Practices for Security." Atlas Systems Blog, 2024.
  25. Morgan Lewis. The Basics of a Good Cybersecurity Plan for a Family Office. Morgan Lewis Insight, 2024.
  26. CISA. "StopRansomware,Backing Up Is Your Best Bet." U.S. Cybersecurity and Infrastructure Security Agency, 2023.
  27. Strategies for Risk. "How to Protect Your Family Office from Cyberattacks." Risk Strategies Blog, 2024.
  28. Morgan Lewis. The Basics of a Good Cybersecurity Plan for a Family Office. Morgan Lewis Insight, 2024.
  29. Strategies for Risk. "Family Office Cybersecurity: How to Protect Yourself from Cyberattacks." Risk Strategies Blog, 2024.
  30. Dentons. The Changing Risk Environment for Family Offices: Cybersecurity Survey. Dentons Global, 2024.
  31. Gilmore, D. "Inside the Breach: Real-Life Tales of Law Firm Hacks." Threat Intelligence, 2024.
  32. Morgan Lewis. The Basics of a Good Cybersecurity Plan for a Family Office. Morgan Lewis Insight, 2024.
  33. Dentons. Cybersecurity Survey: The Changing Risk Landscape for Family Offices. Dentons Global, 2024.