Deloitte's Family Office Cybersecurity Report, 2024, built on a survey of 354 single family offices managing roughly $708 billion in aggregate assets, reports that 43% of family offices globally experienced a cyberattack in the prior 12–24 months. Within North America the figure rises to 57%. For offices managing more than $1 billion, it reaches 62%. The headline finding is that family offices are now routinely targeted at scale.
The breakdown of how those attacks arrive is more revealing. Of the family offices that experienced an attack, 93% saw phishing. Malware (35%) and social engineering (23%) follow at a distance. The Deloitte authors report this as a category. We read it as a defensive disclosure.
Phishing at 93% prevalence is not a noise floor. It is the signature of an attack family that depends on context — what the attacker knows about the principal, the staff, the family, the schedule, the vendor relationships — before any email is sent. That context is built upstream of the IT perimeter, and reducing it is what an exposure-surface programme actually does. The Deloitte report and the broader IT-led cyber programme it describes treat the perimeter as the surface to defend. We argue that the principal's exposure surface, the aggregate of what an attacker can learn about the principal and the family before sending a single email, is the surface where targeted attacks begin and where defence either succeeds quietly or fails expensively.
Who "the principal" is
In family office vocabulary, the principal is the wealth-holder the office serves: the founder who exited, the heir, the family head whose capital created the structure. The staff manages assets on the principal's behalf. From an attacker's perspective, the principal is also the target. The principal's identity unlocks signature authority. The principal's family relationships create pivots into accounts and devices that sit outside the office's IT perimeter. The principal's schedule reveals opportunity windows.
A family office's cybersecurity programme nominally protects "the office." In practice, the asset that matters is the principal, and the principal sits at home, on a personal phone, in residences across jurisdictions, at conferences, on charity boards, and in the inboxes of children and spouses. The IT perimeter does not extend there.
What the Deloitte 2024 report covers, and what it doesn't
Deloitte's coverage of the IT layer is thorough. The report grades family offices on basic measures: multi-factor authentication (85% adoption), regular patching (84%), staff training (58%), maturity assessments (34%). On advanced measures, the picture is starker. Fifty per cent have no disaster-recovery plan, 63% have no cybersecurity insurance, 68% have not adopted "know your vendor" protocols, and 31% have no incident-response plan at all.
The 10-step "leading practices" list at the end of the report restates the IT discipline: cybersecurity operations, maturity assessment, identity and access management, third-party risk, asset baselines, user training, incident response, disaster recovery, business continuity, insurance.
What the report does not cover, anywhere across its 27 pages, is the principal's own digital exposure outside the office network. The principal's people-search-platform listings, residence records, family relationships, public regulatory filings, conference appearances, and credential exposures across breach corpora are not addressed. Yet every targeted phishing campaign ever run against a family office began with that material. The report's framing of cybersecurity as IT controls is internally consistent. It is also incomplete in the layer that matters most for the 93% phishing finding it itself reports.
Why phishing succeeds at 93%: a reconnaissance problem
The Deloitte report contains its own demonstration of the gap. In a case study on page 18, the CEO of a single family office describes an attempted attack:
"My assistant got an email from someone who knew I was speaking at a conference. The email was tailored to her as if it were from the event holders. Something seemed wrong, so she had our security team examine the email and they confirmed it was malware. Thankfully, she did not open the attachment."
The attacker knew the principal was speaking at a conference. The attacker knew the assistant managed inbound correspondence. The attacker knew enough about the event to construct a plausible sender identity. None of that came from the office network. It came from open sources: conference programmes, the principal's LinkedIn, the assistant's professional profile, the principal's prior speaking engagements.
This is the structure of the 93%. Tailored phishing requires context. Context is acquired through reconnaissance. Reconnaissance happens in public. The IT controls that the family office had in place did not prevent the email from arriving. They ensured it was caught after arrival. The defence worked, in this case. It worked because the assistant noticed something off, escalated to a security team, and the team caught it. Most attempts that succeed do so because that catch sequence does not engage in time.
A family office that wants to lower the 93% does not get there by adding more email filters. It gets there by reducing the discoverable context that makes the email plausible in the first place.
The principal's exposure surface: six categories
When we map a principal's exposure surface, we work across six categories. The depth of each varies by jurisdiction, profile, and history, but the categories are stable.
Personal identifiers. Date of birth, current and historical residential addresses, phone numbers, personal email addresses, surfaced across people-search platforms (Spokeo, BeenVerified, Whitepages, Intelius and equivalents). For US-resident or US-tied principals these platforms are extensive. For European principals the surface is narrower but rarely empty.
Family relationships. Spouse, children (often surfaced even when the principal is otherwise private), parents, siblings. Family members are pivot targets; their exposure becomes the principal's exposure when an attacker uses a child's compromised social account to phish the principal directly.
Residence patterns. Property records where public, HOA filings, planning permission records, insurance disclosures, and the secondary-residence trail that frequent travel leaves across booking platforms, social check-ins, and visa filings.
Public-record exposure. Corporate filings (Companies House, KvK, SEC EDGAR, equivalent registries), board memberships, philanthropic giving disclosed by recipient organisations, charitable trust filings, regulatory licences, real-estate ownership through corporate vehicles that have been beneficially mapped.
Digital footprint. LinkedIn, conference appearances, podcasts, interviews, press coverage, alumni-association directories, club memberships disclosed in press, the principal's own social posting if any. This is the layer the Deloitte CEO case study turned on.
Credential exposure. The principal's email addresses, the staff's email addresses, and the family's email addresses across breach corpora (HIBP and equivalents) and the stealer-log economy that sits outside HIBP. Stealer logs in particular are the layer most cybersecurity programmes do not see.
The output of the mapping is not a vulnerability list in the IT-audit sense. It is a profile of what an attacker can assemble before launching the email that the IT controls are then asked to catch.
What's outside an IT-only programme
The gap is not that IT controls are wrong. The gap is what they cannot reach.
A maturity assessment scores the office's posture against a controls framework. It does not score the principal's third-name email address that surfaces on Spokeo with a residential address from 2014.
A vendor risk programme reviews the office's third parties. It does not review the principal's spouse's professional services accounts, the children's tutoring vendors, the family's travel concierge — none of which are office vendors, all of which sit on the same person.
A cybersecurity insurance policy underwrites incident response. It does not reduce the discoverable context that makes the next incident more likely.
An incident response plan describes how to respond after an event. It does not narrow the surface that draws the event in the first place.
These are not failures of the IT programme. They are characteristics of where the IT programme stops. Deloitte's 10-step list is a complete description of one layer. It is not a complete description of the principal's defence.
What an exposure-surface engagement delivers
For family offices that want to address the layer the IT programme does not reach, the engagement structure is consistent across our work. We approach it in three stages.
Map. A 4-stage OSINT process: discovery across the six categories above, cross-reference for confidence, verification, and a written report. The methodology mirrors what we describe in how a Mirror investigation runs but applied at family-office scope: the principal, the staff, the family members within engagement scope, and the inferred attacker view of the office itself.
Reduce. Where exposure can be removed at source, remove it. People-search platforms, broker records, opt-out routes under GDPR Article 17 and Article 21 in EU jurisdictions, equivalent removal routes in non-EU jurisdictions where they exist. Where exposure cannot be removed (corporate filings, regulatory disclosures), document and accept it as a constraint, and recalibrate around what is reducible.
Monitor. Continuous re-emergence detection. People-search records re-populate. Breach corpora grow. New press coverage surfaces. A reduction without monitoring is a snapshot; with monitoring, it is a posture.
The Family Office Privacy Pack on our services page is the productised form of this engagement: principal plus up to four family members, with a one-year Guardian retainer included. The pack is not a replacement for the office's IT programme. It is the layer that sits beneath it.
When IT-first is enough vs. when you need both
We are honest about the threshold. Not every family office needs an exposure-surface programme.
For smaller offices serving lower-profile principals, with wealth not yet in the press, family not in the public eye, no recent transactions or board appointments drawing attention, the Deloitte 10-step list, well executed, may be sufficient. The principal's discoverable context is low. The cost-effective defence is to keep the IT controls disciplined and the staff trained.
The threshold to add an exposure-surface programme is when one or more of the following is true:
- The principal is searchable beyond a basic LinkedIn entry.
- The family has been named in press in connection with the wealth.
- There are multiple residences across jurisdictions.
- The principal serves on boards, sits on regulatory disclosures, or has a recent transaction history.
- Family members have public profiles of their own.
- There has been a prior incident, a credible threat, or a recent change in the principal's public exposure (acquisition, IPO, public appointment, divorce, inheritance event).
Above that threshold, the IT-first programme is necessary but not sufficient. The 93% phishing prevalence in the Deloitte data is concentrated above that threshold: North America, AUM over $1 billion, larger and more visible offices. The exposure-surface layer is where the difference is made.
The companion analysis on the corporate side is right of access reconnaissance: closing the GDPR Article 15 gap, which addresses the same defensive logic against B2B reconnaissance vectors.
If your family office is operating above that threshold and the IT programme is in good order but the principal's discoverable footprint has not been mapped, the exposure-surface layer is the next conversation to have.
If you are weighing whether the exposure-surface layer applies to your office, a short scoping conversation will tell you whether the threshold is reached.
Talk to an AnalystSources
- Deloitte Private. The Family Office Cybersecurity Report, 2024 — Global Edition. Survey of 354 single family offices, conducted September–December 2023. Aggregate AUM $708 billion; aggregate family wealth $1.3 trillion.
- Verizon. 2023 Data Breach Investigations Report. Cited within the Deloitte report regarding regional attack distribution.
- PI Solutions. Right of access reconnaissance: closing the GDPR Article 15 gap.
- PI Solutions. How a Mirror investigation runs.