If you run a family office, the client assets you manage these days carry as much risk as they do reward, says a new study from Boston Private, a wealth management, trust and private banking company.

According to the study, many family offices need to re-examine how they handle various risks, including the threat of cyberattacks, investment trouble and health threats to family members, especially during the Covid crisis.

The study, called “Surveying the Risk and Threat Landscape to Family Offices,” was written by Edward V. Marshall, managing director of Boston Private’s private banking, wealth and trust business.

The research included a survey of more than 200 family office executives. Nearly half of those surveyed (47%) underestimated threat levels or become complacent about risks (41%). Standing in their way, Boston Private said, are limited staff and an emphasis on cost and convenience.

Over a quarter of the respondents (26%) said they have suffered a cyberattack, and in almost two-thirds of those cases, it happened within the last 12 months.

One respondent recounted a recent scam perpetrated on his firm.

“The most serious cyberattack we experienced was when someone posed as one of the principals and asked for a bank transfer to an overseas account,” said one unidentified respondent. “What made it worse was that the principal concerned was traveling at the time and the hacker sent an email from what appeared to be the principal’s account. However, because we employ multiple checks on all payments, we managed to detect the cyberattack and prevent it from succeeding.”

Another respondent described an even more aggressive attempt to exact payment of monies, this time through blackmail.

“We experienced a sophisticated cyberattack from hackers based overseas,” the unidentified respondent said. “They accessed family office data through a server we shared with the operating company, which was also hacked. The hackers wanted us to pay a ransom, or they would release confidential data to cybercriminals. We refused to pay a ransom and stopped the security breach.”

One-third of family offices (29%) said they did not have a business continuity plan in place before the Covid-19 pandemic, and over a quarter (27%) said implementing secure remote working protocols was one of their top risk management challenges.

According to a third unidentified respondent quoted in the study, employees working remotely from home during the pandemic posed yet another risk to family offices.

“We have had several unsuccessful attempts by outside parties to pose as employees and have us wire money to them,” the respondent said in the online study.

While over half of the family offices in the study (58%) said they have trained employees and family members on potential risks, less than a third (28%) said they have conducted stress tests or scenario analysis to back up training and planning.

A majority (80%) said they did not conduct periodic background checks on all personnel, unless their staff had just been hired (68%).

Social media presents a threat as well, since a misplaced social media post or comment or a stolen email address or personal connection can tarnish a client’s once-sterling reputation and irrevocably damage it, and by extension, the family office charged with protecting it. 

Despite the potential for such elevated risk threats, only 28% of family offices said they offered privacy and reputation management services—hardly surprising, Boston Private said, since only 26% of respondents considered reputational risks to be a significant threat to their practice. Only a third believed they presented major or catastrophic impacts, and a majority (72%) thought they had a low chance of occurring.  

Family offices that decide to outsource risk and threat management to an external vendor face additional hurdles, the study found. A third of those surveyed (35%) said they found it to be a major challenge, and that outside vendors did not understand their unique concerns (35%). Over a quarter (28%) of family offices said they have never carried out a review of the risks and threats from using a third-party vendor.

Boston Private also found that few family offices offered the equally important yet often overlooked services of physical security and international travel, even though their clients faced the risk of direct physical threats, such as kidnapping and break-ins, both in the U.S. and abroad.

Only 16% of respondents said they used medical advisory services, despite the potential for disruption from significant health issues during the pandemic and the increasing sophistication of medical advisory and risk management tools.

Over a quarter of family offices have developed a network of family offices to share best practices and vendor recommendations, while almost 60% want to see more conferences to help do this, Boston Private reported.

CoreData Research conducted the online survey from May 25 to August 10, 2020. The firm surveyed more than 200 family office executives at single- and multi-family offices managing between $100 million and $5 billion in client assets. Study participants were sourced from Boston Private and its survey partner databases.

Founded in 1987, Boston Private is headquartered in Boston.