This article is , provided by PwC Canada

When not if: Ransomware attacks are becoming a reality for family offices. Here’s how to prepare

As threats grow, family offices must look beyond prevention and focus on preparation and response

Every organization is a potential target for cyber-attacks these days, and ransomware—malicious software that can permanently deny access to the victim’s own data unless they pay up—is one of the most common iterations of this pernicious threat. In PwC’s 2025 Global Digital Trust Insights survey of more than 4,000 business and tech executives, chief information security officers in Canada ranked ransomware attacks among the top three most concerning cybersecurity threats. And small wonder: some studies suggest that more than half of all organizations are targeted by ransomware attacks every year. 

Story continues below

Worse, the threat is growing. In a digitally connected business world, third parties—suppliers, customers, IT partners and so on—can comprise significant areas of vulnerability to cybercrime, and in our Global Digital Trust Insights,   cloud security breaches, hack and leak operations and third party breaches were among the top threats that executives felt the least prepared to deal with. They were also highly concerned about generative artificial intelligence, with two-thirds of security executives saying that GenAI has increased their organization’s vulnerability to attack. Anecdotally, we are already seeing GenAI-powered deep fakes in text, voice and video being used as vectors for ransomware attacks, and we would expect GenAI to help make perpetrators’ campaigns become ever more sophisticated over time. 

More and more, then, the question today is not if an organization will become a ransomware target, but when. Inevitably, that means the focus of anti-cyber-attack efforts should go beyond prevention (although still a worthy goal) and focus more clearly on robust preparation and response.

Making sense of an emotional experience

Family offices, which typically hold reams of sensitive data concerning ultra-high-net-worth individuals, are a natural target for bad actors, an increasing number of whom are taking aim. Awareness of the threat has generally increased as a result, yet in our work advising family offices and other organizations on emergency management, we have found that many still feel woefully unprepared for a cyber-attack. Indeed, a global survey published in May by the law firm Dentons found that while seven in 10 family offices think cyberattacks are more likely today than in 2020, fewer than one in three have robust defensive capabilities or sufficiently trained staff. Our own Global Digital Trust Insights report found that only two per cent of executives have implemented cyber resilience actions across their organizations.

Perhaps part of the reason for this gap between awareness and action is the perception that cybersecurity programs are dauntingly complicated, and many organizations simply don’t know where to start.  Ransomware attacks, in particular, can be overwhelming. When your most valuable information is suddenly held hostage, the possibility that it could be used for nefarious purposes—or even simply made public—is a paralyzing prospect. And the potential business impact is severe.

Story continues below
Photo of Edward Matley, PwC
Edward Matley

Add to that the reputational risk to your organization, as well as the risk that the attack will severely disrupt your business or even make it impossible to conduct business, and a ransomware attack can be a gut-wrenching experience whose ripple effects touch everyone in and around the organization, from senior leadership and front-line staff to business partners, suppliers and regulators.

It is quite natural to feel angry or indignant when confronted with an attack, and on moral grounds many business executives do not want to bow to criminal activity. In the case of ransomware, those reactions often prompt an organization’s leader to simply say: “We are not going to pay.” But the decision to pay or not to pay is a complex one, and it should be based on a disciplined analysis of the costs and benefits of both courses of action.

Photo of Joseph Coltson, PwC
Joseph Coltson

Among other considerations, paying may not come with a trustworthy guarantee of recovering your data (although the somewhat twisted economics of ransomware dictate that attackers often do release the data once they are paid—after all, they want their next victim to pay, too.) This course of action can also raise ethical concerns, and it might have legal implications. On the other hand, not paying comes with risks, too, including the potential loss of data or the sale of data to criminal organizations, reputational damage and long-term interruption of business operations.

Our point is that while emotions are bound to come into play during a cyber-attack, they rarely lead to a preferred outcome for the target. Clear-headed analysis is the basis of an effective response, and achieving that usually requires practice and preparation.

Photo of Alvin Madar, PwC
Alvin Madar

Focus on capabilities

The other key is ensuring your organization has the people in place to address a crisis. Note that we did not simply say “have a plan.” The reality is that written instructions or protocols, while perhaps necessary, may not be sufficient to adequately prepare any organization for the complexities and stresses that arise in a real-world ransomware attack, when emotions are running high and every minute counts. (As boxer Mike Tyson famously said, “Everybody has a plan until they get punched in the mouth.”) We have found it far more effective to also focus on capabilities—that is, assembling a crisis response team that has the right people, in the right places, with the right training and practice.

Story continues below

This is important because every organization and crisis is both complex and variable. How you respond to a ransomware attack depends on a host of factors. For instance, what’s the magnitude of the attack? Do the attackers actually have the data? How did they get it? (Phishing emails, IT vulnerabilities and compromised credentials are three common “ways in.”) How big is the threat? Could you potentially recover without paying the ransom, and if so, how long might it take? In short, there is usually a lot of moving parts, and the information you must act upon is often incomplete or conflicting. No plan can account for all the variables—but a team of competent people perhaps can.

Communications is often the most challenging aspect of a ransomware response

Matley, Coltson and Madar of PwC

What does a good response team look like? Typically, managing a ransomware crisis will involve a number of players, both internal and external: leadership, cyber crisis investigators, ransom negotiators, insurers, legal counsel, PR professionals, and, quite often, a breach coach (for instance, a third-party cyber response consultant who is trained specifically in responding to cyber-attacks and can coordinate the team). In the real world, one person can perform several of these functions (for instance, a lawyer is sometimes also the breach coach), so we prefer to focus on capabilities rather than roles.

A few core capabilities apply in most situations:

  • Incident response: This is a technical capability, which usually means cyber-crisis investigators who analyze the ransomware attack and gauge its extent. It helps determine what exactly has happened (it’s not always clear!), how the attackers got into the IT system, and what information they have access to. Incident response also tries to answer two tactical questions: What do we need to get the attackers out of the system, and how can we recover from the attack? 
  • Crisis management: More strategic in nature than incident response, crisis management is an executive-level decision-making capability. It develops answers to such questions as, Are we going to consider paying, or not? Whom do we need to communicate with, what are we going to say and when are we going to say it? How will the various people we need on this file work together and communicate? Will we get law enforcement involved? Crisis management also is tasked with making decisions on the fly as new information comes in or the situation on the ground evolves. 
  • Crisis Communications: Reputation management is a key consideration here, and some capability in crisis communications is essential. They need to determine who the relevant stakeholders are and what kind of information to share, how to effectively message it, and how and when to share it. Executives who have been through a ransomware attack often say that communications is the most challenging aspect of the response, in large part because it is the most significant element in effectively managing reputational impact. After all, managing the crisis effectively is one thing; ensuring that your stakeholders perceive that you have responsibly managed it is another.
  • Business continuity: When an organization is hacked, it will typically decide to take at least part of its IT system offline to prevent any further spread of the attack. If the attack has come via a third party—for example, an IT supplier—then the organization might cut off communications with that party at least until the crisis is resolved. What will this downtime do to your operations or to your organization’s reputation? How do you continue to operate the business absent at least part of your IT systems? Do you need to reallocate human and/or technical resources so that critical functions can be completed? The business continuity team members address those questions and more.
  • Disaster recovery: This is the capability to manage the fallout from the ransomware attack. For example, can you restore data from backups (which may apply in particular if negotiations with the attackers fail)? Once the attack is over, how do you recover the data? And how can you bring your IT stack back online so that you can get back to business? This is a bit of a blind spot for many business leaders, who often believe that if they resolve the attack (for instance, through paying), they can recover in short order. That is rarely the case, but having an effective internal recovery mechanism in place before an attack can make the process much easier and faster. 
  • PII analysis: PII stands for “personally identifiable information,” and it points to one of the most important variables in a ransomware attack. Some non-consumer-oriented organizations (like family offices) do not pay enough attention to this issue, in part because they mistakenly believe PII is limited to credit card numbers and similar consumer financial information. But the sensitive data that falls under PII is much broader than that. For instance, employee information—health insurance numbers, financial records, passport and social insurance numbers, even names and addresses—can be valuable ransomware perpetrators, too. When a threat actor gains access to such information, certain regulatory requirements may apply, and the organization may have a duty to report the attack. However, this can be a complex challenge. Particularly in the early stages of a ransomware response, it is not always clear what data the attackers have or how sensitive it is—sometimes they will tell you, but sometimes that disclosure is subject to negotiation. You can try to figure it out on your own, of course, but doing that successfully is time-consuming and ultimately depends on the quality of your organization’s records management.

In the end, understanding the capabilities your office will need when (not if) a ransomware attack occurs can go a long way towards mitigating the risk that you respond emotionally rather than rationally. But even here, just knowing is not enough. Like a fire drill, practice is key. If the first time the crisis response team meets is when a crisis has just occurred—well, it is probably already too late. 

In our work advising organizations on cyber-attacks, we often recommend “table-tops”—exercises in which our consultants will present the response team with a (fictional) ransomware scenario, then walk them through each step of the crisis towards a resolution. These exercises can be an effective way to build team members’ understanding of one another’s roles and responsibilities, to identify potential gaps in their response to real-world attacks, and to build capabilities through experiential learning. 

Story continues below

In the age of GenAI, cyber incidents like ransomware attacks are becoming more frequent, more sophisticated and more disruptive. It is an ever-changing and complex risk environment, and minimizing the impact of an attack requires discipline, structure and alacrity. That is why the focus of preparation should be on the building blocks of an effective response—understanding them, implementing them and putting them to the test before the proverbial fan has been hit.

Edward Matley is Partner and National Crisis & Resilience Leader for PwC Canada, with more than 20 years of experience in crisis management, emergency management, business continuity and IT disaster recovery.

Joseph Coltson is Partner, National Cyber Forensics Investigations Leader, PwC Canada, focusing on technology risk and litigation support.

Alvin Madar is Partner, Cybersecurity, Privacy and Financial Crime and National Cybersecurity Leader, PwC Canada, focusing on helping clients strategically manage their cybersecurity programs.