What percentage of family offices experienced a cyberattack?

57% of North American family offices experienced a cyberattack in the past 24 months, according to research from Deloitte and Campden Wealth. For family offices managing $1 billion+, that rate rises to 62%. Only 11% describe themselves as well-prepared for cyber threats, 63% carry no cybersecurity insurance, and 31% have no written cyber incident response plan. The data reveals a structural governance gap: most family offices do not employ a dedicated CISO, and cybersecurity decisions default to COOs and CFOs who do not have it as their primary expertise.

Family Office Cybersecurity: What the 57% Statistic Actually Means

The statistic travels well. 57% of North American family offices experienced a cyberattack in the past 24 months. It appears in the Deloitte Family Office Insights report, in Campden Wealth research, in every cybersecurity vendor pitch deck aimed at the family office market. It is a genuinely alarming number. It is also, by itself, not particularly useful.

The problem is not the statistic. The problem is what it does not say.

What the 57% number includes

The underlying surveys use a broad definition of "cyberattack." A successful wire fraud counts. So does a phishing email that was opened but not acted upon. So does a credential stuffing attempt on a family member's personal email. So does a ransomware event that was contained. So does an impersonation attempt against the family office principal that was detected before any action was taken. So, in some survey methodologies, does a suspicious login pattern that was never tied to an actual breach.

This is not a criticism of the methodology. The surveys are measuring threat exposure, not successful breach. That is a reasonable measurement. But it means the 57% number captures something closer to "attempted or experienced a cyber event of some kind" than "suffered a material breach."

What the statistic gets right

The direction of the data is unambiguous and the trend line is consistent across surveys:

Family offices are being targeted at materially higher rates than the general UHNW population.
North American family offices are targeted at materially higher rates than European or Asian family offices.
Offices managing $1 billion+ in AUM face cyberattack rates closer to 62%.
Only 11% of family offices describe themselves as "well-prepared" for cyber threats.
63% of family offices carry no cybersecurity insurance.
31% of family offices have no written cyber incident response plan.

Put together, the picture is not "most family offices have been hacked." The picture is "most family offices are a target, most are structurally unprepared, and the ones that have been successfully breached rarely talk about it."

Why the governance gap persists

The average family office employs 4–5 IT professionals. None of them report to a Chief Information Security Officer, because most family offices do not have one. Cybersecurity decisions default to the same people who make every other technology decision in the family office: the COO, the CFO, or the principal directly. None of them have cybersecurity as their primary expertise.

The managed service provider running the family office's infrastructure typically sells cybersecurity services as an add-on — which creates a structural conflict. The MSP's cybersecurity recommendations are not independent. They are tied to the MSP's book of business.

The insurance broker recommending cyber coverage is not evaluating the family office's cybersecurity posture in any real depth — they are underwriting a policy. The estate attorney who might flag cybersecurity as a family risk is not a cybersecurity practitioner. The wealth manager is not either.

No one in the family's advisory ecosystem owns cybersecurity. The 57% statistic is what happens when no one owns it.

What family offices should actually do

Three concrete steps, in order of priority:

Establish independent cybersecurity governance. This does not require a full-time CISO. A fractional CISO on retainer provides the governance layer — policy, risk management, vendor security review, incident response readiness, board-level reporting — without the overhead of a full-time hire. The key word is independent: the CISO must not be the same entity selling the family office its cybersecurity products.
Write the incident response plan before you need it. 31% of family offices do not have one. When an incident happens, the absence of a plan is what turns a contained event into an uncontained one. An incident response plan does not need to be 100 pages; it needs to answer three questions clearly: who decides, who calls whom, and what gets preserved for forensics.
Carry cybersecurity insurance — but evaluate the policy against your actual environment. 63% of family offices have no coverage; many of the ones who do have coverage that would not actually apply in the scenarios they most need it to. Independent review of the policy against the family office's actual exposure is the difference between paying premiums and having protection.

The bottom line

The 57% statistic is true, incomplete, and actionable. It is true because the surveys say so. It is incomplete because "cyberattack" spans a wide range of events with very different severity. It is actionable because the structural gaps it reveals — no independent cybersecurity governance, no incident response plan, no independent insurance review — are gaps that can be closed without a full-time hire, without vendor dependency, and without the multi-month timelines most family offices assume are required.

The families that close these gaps before they are tested are also the ones that rarely appear in the cyberattack statistics the next year.