Astris CSP
Help portal Begin a conversation
Briefing No. 07 · Family Offices · 2026
43%

The family-office cyber benchmark just got specific: 43% attacked, one in five with no plan

24 June 2026

Most principals know their portfolio’s risk numbers to a decimal place and have no equivalent figure for the office itself. This year’s reports change that. The data now lets you benchmark your own operation against peers, and the comparison is unflattering for offices that have treated cyber as an IT line item rather than a board responsibility.

The peer numbers are now specific enough to benchmark

Ocorian’s 2026 Global Family Office Report, drawn from 200 family members and staff across the UK, Switzerland, Bermuda, Cayman and a dozen other markets managing $119bn, found that 43% had suffered a cyber attack in the past two years. Almost a fifth have no defence plan at all, and 22% have no incident-response plan to recover once an attack lands.

For a CEO, the second number matters more than the first. Being attacked is now the base rate; being unable to recover is a choice. An office without a written incident plan is not deciding to accept the risk, it is deciding not to decide, and that distinction is exactly what a regulator or an insurer will probe after the fact. WealthBriefing

London’s guidance points straight at third parties

In June the Cross Market Operational Resilience Group, an industry body convened with the Bank of England and FCA, published guidance on frontier AI and cyber security setting out 38 activities and 31 questions for firms. The backdrop: more than 40% of cyber incidents reported to the FCA in 2025 involved a third-party provider.

Family offices are not in the FCA’s perimeter, but they sit downstream of every custodian and administrator that is. When your providers tighten their own third-party diligence, those questions arrive at your door as a condition of the relationship. The offices that can answer them quickly will keep their banking arrangements simple; the rest will spend the next year filling in forms reactively. FCA

Switzerland is naming the supply chain as the main route in

FINMA reported a sharp rise in 2025 in cyber attacks reaching financial institutions through suppliers and third parties, and now puts roughly half of all incidents in that category. Its supervisory message for 2026 is that one annual tabletop exercise is no longer evidence of readiness.

The lesson travels directly to family offices, which often run leaner vendor lists than the banks they use and rarely test what happens when a key provider goes dark. A vendor inventory that maps which suppliers touch payments, data and access is the cheapest resilience work available, and almost no office has one. VinciMind

Cheaper cyber insurance is not the same as cover

Premiums are expected to fall a further 11% in 2026 as insurers compete, yet more than 40% of cyber claims are being denied, mostly for missing controls or late notification. AI-assisted business email compromise using cloned executive voices rose 37% over the year, per the FBI.

This is the trap for offshore structures in particular. A Cayman or Bermuda vehicle leans on a short list of administrators and trustees, and a denied claim usually traces back to a control gap at one of them. Buying a cheap policy without verifying the controls behind it is insuring the paperwork, not the risk. Insurance Business

The through-line this week is third parties and identity. If you do one thing, list every external provider that can move money or access systems, and confirm each has an incident plan you have actually seen. That single document is what separates an office that recovers from one that explains.

← Briefings & journal