In today's interconnected world, the landscape of risks faced by family offices has evolved dramatically. Understanding and mitigating these risks is crucial to safeguarding the wealth and well-being of your clients.
| UNDERSTANDING THE SCALE OF CYBER LOSSES
Cybersecurity remains the top concern for family offices around the globe, as highlighted by J.P. Morgan’s Private Bank 2024 Family Office Survey. Family offices, tasked with managing financial and reputational risks, are rightfully concerned, as cybercriminals target their wealthy individuals. While one in four family offices have already experienced breaches, this number rises to 40% for those managing assets exceeding $1 billion.
The financial impact of breaches can be staggering. Losses from cybercrime are projected to increase to $10 trillion in 2025, underscoring the urgent need for family offices to prioritize cybersecurity measures and implement comprehensive strategies to protect assets against evolving threats.
| ARTIFICIAL INTELLIGENCE (AI) DEEPFAKES BECOME PART OF A HACKERS TOOLKIT
Generative artificial intelligence has introduced a new dimension to cyber risk. Modern AI tools can capture and replicate voices from social media, webinars, and calls, producing highly convincing “deepfakes.”
Deepfakes are synthetic media created using AI to alter or fabricate audio, video or images, making it appear as though someone said or did something they did not. This poses a great threat making it significantly difficult for individuals or organizations to distinguish between genuine and fabricated content.
One family office managing a wealthy family’s investments experienced this risk firsthand when it fell victim to a cyberattack that resulted in a $2 million fraudulent wire transfer. The incident began with a phishing email impersonating a trusted investment partner, which led to a malicious site capturing the financial advisor’s login credentials. With access to the office’s email system, attackers created a deepfake audio message that mimicked the principal’s voice and instructed the advisor to expedite a transfer.
"Generative AI has introduced a new dimension to cyber risk. Modern AI tools can capture and replicate voices from social media, webinars, and calls, producing highly convincing 'deepfakes'... synthetic media created using AI to alter or fabricate audio, video or images, making it appear as though someone said or did something they did not"
The fraud was uncovered only when the actual investment partner asked about the missing funds, triggering an internal review. A cybersecurity firm was quickly brought in to investigate, identify vulnerabilities, and trace the fraudulent transaction. In response, the family office implemented stricter verification protocols, enhanced staff training, and invested in deepfake detection technology. This incident illustrated how quickly AI-driven attacks can evolve and reinforced the need for constant vigilance, robust protections, and adaptive strategies.
With AI fueling increasingly sophisticated attacks, cyber risks are evolving at an unprecedented pace. Family offices must remain vigilant against social engineering tactics such as phishing emails, smishing text messages, vishing calls, and deepfake technology. The common thread across these methods is that they exploit human trust and behavior — tricking someone into clicking a malicious link, sharing sensitive information, or approving a fraudulent transaction.
Strategies to outsmart cybercriminals
It is essential to put protections in place to detect impersonations and stop AI-based attacks before they cause harm. For example, sensitive requests should always be verified through multiple communication channels — such as a direct phone call or face-to-face meeting — before any financial transactions are carried out. Offices should also consider creating a unique safe word or phrase for high-stakes communications, known only to the individuals involved, to confirm authenticity in cases where deepfakes might be used. Asking a simple but critical question — “Is this truly my business partner requesting a transfer, or is it a fabricated voice?” — can prevent losses.
| PROTECT YOUR OFFICE, STAFF AND FAMILY MEMBERS
In the event of a cyberattack, preparation is key. Ensure you develop, test and execute resiliency plans. To help you get started, refer to the below best practices:
Manage people and processes
● Put an employee training program in place—Many cyberattacks start with phishing or malware. Teach your employees how to identify and report suspicious emails or other online activities. Periodically test their knowledge and skills.
● Require encryption for all sensitive communications – confidential, personal, and financial data should be encrypted with a secure communication tool before sending. Avoid sharing sensitive data via messaging apps and opt for secure email.
Engage family members
● Educate family members on cyber risks – Provide ongoing education and awareness on cyber threats high-net worth families face. Offer best practices to help them protect themselves and their families at home and while traveling.
● Implement a social media policy for the family – Encourage family members to implement a policy around acceptable usage of social media including appropriate privacy settings, account protections, and what not to share.
Red pulses across the matrix — a DDoS or botnet silently coordinating attacks.
Put protections in place
● Require multi-factor authentication (MFA) for all access to sensitive systems, email accounts, and financial platforms. This adds an extra layer of security beyond just passwords, making it much harder for attackers to gain unauthorized access even if credentials are compromised.
● Implement advanced Endpoint Detection and Response (EDR) tools on all devices used by staff. EDR solutions continuously monitor endpoints for suspicious activity, provide real-time alerts, and enable rapid response to potential threats such as malware, ransomware, or unauthorized access attempts.
● Use an email security gateway to filter out phishing emails, malicious attachments, and suspicious links. Modern solutions can also use AI to detect deepfake audio or video content, helping to identify and block potentially fraudulent communications before they reach users.
Have a backup plan
● Create multiple data backups.
To restore systems in the wake of a cyberattack, consider storing copies on cloud services or completely offline.
● Conduct a business impact analysis.
Assess the potential consequences of a cyberattack on your operations as well as on your recovery strategy. For example:
➊ Could your business operate offline if no online systems are available?
➋ How would you make crucial payments?
➌ Which systems would need to be recovered first?
➍ Who inside the organization would make critical decisions?
➎ What outside parties (partners, regulators, press, customers/clients) would need to be notified if a cyberbreach occurred?
Don’t go at it alone
● Develop a relationship with a cyber-resiliency partner before an incident occurs—A partnership with a digital forensics and incident response firm, for example, can help you mitigate the impact of an attack and reduce the amount of time it takes to recover.
● Supplement your recovery plans with a cybersecurity insurance policy—This can help defray a portion of the losses you may incur.
● Test the strength of your system security—Have an IT and security provider assess the strength of your cyber protections, and implement more robust controls and technologies, if needed.
"In an era where cyber threats are continuously evolving — driven by AI and sophisticated social engineering — family offices must act with urgency. The risks are real, but with foresight, education, and strategic partnerships, it is possible to safeguard clients’ wealth and reputation... strengthen cybersecurity protocols, educate employees and family members, and establish trusted expert relationships"
Prepare, document, and test your cyber response and strategy
● Create a playbook
Take the time to map a clear path to recovering from a cyberattack.
● Conduct regular reviews
Practice and update your resiliency plans on a regular basis to ensure they will be executed successfully in the event of an incident.
| BE PROACTIVE: STRENGTHEN YOUR DEFENSES NOW
In an era where cyber threats are continuously evolving — driven by AI and sophisticated social engineering — family offices must act with urgency. The risks are real, but with foresight, education, and strategic partnerships, it is possible to safeguard clients’ wealth and reputation.
Take action now. Review and strengthen cybersecurity protocols, educate employees and family members, and establish trusted expert relationships. By being vigilant and proactive, you can stay one step ahead of cybercriminals and ensure lasting protection for the families you serve.
This information is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein.
Kevin Tompkins
Executive Director and Cybersecurity Specialist, J.P. Morgan Private Bank.
privatebank.jpmorgan.com
J.P. Morgan
Leader in financial services, offering solutions to clients in more than 100 countries with one of the most comprehensive global product platforms available.
jpmorgan.com
