This article is part of our June special report on digital risk in family offices.
Family offices and advisors are often dedicated primarily to helping clients maintain investment capital and generate returns, and managing financial risk is a core part of that effort. But today, firms are becoming increasingly vigilant about another risk—in the form of an onslaught of sophisticated cybercriminals intent on separating clients from their wealth. For these family offices, the goal is far removed from the world of stocks and bonds. It’s about reducing vulnerabilities through education on technology, and through curbing habits that expose finances to cyber risk.
According to The Family Office Cybersecurity Report 2024 by Deloitte, 57 per cent of family offices in North America had experienced a cyberattack in the previous 12 to 24 months. The most common attacks, according to Campden Wealth’s Family Office Operational Excellence Report 2025, include phishing (48 per cent), a data breach caused by a family member (26 per cent) and the installation of malware (19 per cent).
How big a bite are scammers and cyber criminals taking out of family office client portfolios? That is hard to determine, given that many frauds clearly go unreported. Looking across Canadian society, however, gives some idea of the extent of the damage. According to the 2024 Annual Statistical Report of the Canadian Anti-Fraud Centre (CAFC), which says that frauds targeting older Canadians are the most common, investment fraud losses totalled more than $313 million (nearly $80,000 per victim), while spear phishing—personalized and targeted scams—netted $67,349,355 ($107,415 per victim) and romance scams scooped up $58,871,388 ($55,697 per victim).
Training families to protect themselves
Against that seeming tidal wave of criminality, some family office advisors are taking action. Edmonton-based North Road Investment Counsel, for one, offers cyber counselling services directly to clients who may not recognize their own vulnerabilities.
Most of our clients are retired professionals. It’s often hard to convince them that the risk is real.
Misha Niemtsev
“We noticed in our own families that our older relatives were having challenges with technology,” says Cary Williams, director of research, portfolio manager at North Road. “Our president, Marshall McAlister, came into the office one day about two hours late and his hair was on fire. He had just spent two hours helping his dad with his phone. We had a bit of a laugh, because we’ve all been there with a relative. But after we stopped laughing, he wondered how many of our clients might be just like his dad, likely unable to protect themselves from cyber threats, let alone knowing how to manage technology from day-to-day.”
The idea of helping clients protect themselves took root, and two years ago North Road developed a cyber counselling service. It is largely aimed at clients who have retired from corporate life and suddenly no longer enjoy the tech support their companies once offered. To develop the service, the firm teamed up with cybersecurity expert Mykhailo (Misha) Niemtsev, who joined North Road as its client-facing digital risk advisor.
“Most people are still in the camp that they know they could theoretically be a target, but that they don’t need to take explicit action,” Williams says. “We’re saying that is no longer the case, as the capability of fraudsters is increasing exponentially through the use of technology and AI. Misha works his magic by helping them understand that there’s a risk, and that they’re going to be okay if they take some action.”
The process is straightforward. Niemtsev meets with clients in person or through a video call and takes them through the company’s eight-step Digital Risk Advisory Program, which includes a personal assessment of digital risk; password management; antivirus software; recognizing phishing emails; identification and credit monitoring; disaster and backup recovery; network security, and digital estate planning.
The North Road program focuses on simple, high-value strategies that offer the highest levels of protection to address clients’ personal exposure.
“Most of our clients are retired professionals,” Niemtsev says. “It’s often hard to convince them that the risk is real until I do an assessment with them. I start asking questions and it takes about five to 10 minutes for the energy to shift where they catch on that they’re not experts in this field.”
Clients are often convinced that technology will provide most of the protection they need, while the importance of personal habits runs a distant second. Once Niemtsev shares anecdotes about people whose identities are compromised simply because they used a public Wi-Fi network at a local café, for example, the importance of behaviour rises to top-tier.
Niemtsev then creates a tailored plan for the family, addressing its most significant vulnerabilities. “We make sure their accounts are secured, from the most important to the least,” he says. “Accounts like e-mail and social media are often considered non-critical, while hackers would primarily attack those because of how low the security levels are and how much damage they can do. In many cases, their most critical vulnerability is that most of their accounts have the same password and they haven’t enabled multi-factor authentication.”
Niemtsev explains that even the simple act of posting current vacation photos on social media advertises the fact that there’s nobody home, potentially paving the way for a robbery.
Once behavioural issues are addressed, he helps clients understand how a virtual private network, or VPN, can help protect personal information. He also advises them on upgrading technology, ensuring that old devices are wiped of information before being properly disposed of. Through phishing training, he teaches clients to be careful about clicking on potentially malicious links in emails, and encourages them to hang up if a phone call seems suspicious.
“AI is being used to perpetrate fraud, with voice samples used to create realistic-sounding messages from family members or friends,” he says. “We instruct people to call back through a known or an official number and confirm whether this is really the person who says they called you.”
Building a family office cybersecurity roadmap
Richter Family Office, a multi-family office headquartered in Montreal, provides clients with three cybersecurity offerings, scaled from larger enterprises to individuals. They’re overseen by Raymond Vankrimpen, a partner at Richter, who offers expertise in the areas of cybersecurity, privacy, IT risk management and data quality.
Richter Guardian is a managed personal cybersecurity and digital risk protection service that brings enterprise-grade monitoring, incident response, and identity and reputation defence to high-net-worth individuals, executives and their families, covering personal devices, accounts and online exposure.
“People are often surprised at how professional social engineering has become,” Vankrimpen says. “Artificial intelligence has made the scammers and fraudsters much more believable and professional. They get a call that looks like it’s coming from a bank and the person on the line has probably done some advanced intelligence gathering. They know things about you that you would think only the bank would know. Before you know it, you’re putting your bank cards into an envelope and handing it to some Uber driver.”
From voice cloning to video cloning and the grandparent scam—apparent calls from a distressed grandchild who is asking for cash—clients are introduced to the most common approaches scammers use.
We’re finding that more and more [family offices] are being seen as a target of opportunity.
Raymond Vankrimpen
“A lot of it comes down to training individuals and making them more skeptical,” Vankrimpen says. “I did some research with the University of Waterloo, and we were able to narrow down about 13 psychometric questions. With a high degree of certainty, depending on how people answered those questions, we could determine if they would be a victim of a phishing attack.”
Cybersecurity Health Check is an assessment of a family office’s cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework 2.0. The program evaluates governance, identity and access, data security, third-party risk, and detection, response and recovery readiness.
“For a family office to prioritize this, sometimes it takes a security breach on their part, or somebody close to them has been the target of an attack and they start to take it seriously,” Vankrimpen says. “We’re finding that more and more these organizations are being seen as a target of opportunity. There’s significant wealth, their security defences are much less sophisticated than your typical enterprise organization, and they become easy targets for business e-mail compromise or malware.”
Richter builds a roadmap for family offices, prioritizing actions that require the least effort and smallest investments to mitigate the greatest amount of risk. Developing a good password policy, for example, is an early and easy win. Procuring cyber insurance to cover a breach is more expensive and will often be placed further along the family office’s cybersecurity roadmap.
Richter’s Tabletop Exercise is a scenario-based simulation that walks decision-makers through a realistic cyber or operational crisis, such as a ransomware attack or email breach. The exercise exposes gaps in communication, roles and response plans before a real attack. The result is a structured gap assessment, a prioritized remediation roadmap, and an incident response playbook.
“The tabletop exercise talks to all the people in that family office, including the principals if they’re involved, and getting them on board to really understand the issues at hand,” Vankrimpen says. “People can very quickly make a problem much bigger if they don’t have a good incident response plan in place and they don’t test it through these kinds of scenarios.”
The exercise might reveal the need for more robust back-ups of essential data, a better understanding of breach reporting requirements, a breach communication policy, and the role of breach counsel during an incident.
However, while using technology to bolster cyber defences is essential, no technology is so robust that human error or carelessness can’t breach it. For example, in 2017, just days after credit rating agency Equifax revealed a widespread data breach in the U.S., another vulnerability came to light in its Argentina operations: the local information portal was protected with the word “admin” as both the login and password.
“Controlling digital risk,” says North Road’s Niemtsev, “is still mostly about what people allow themselves to do and what they prevent themselves from doing.”
Peter Kenter is a Toronto-based writer with a deep and abiding interest in how everything in the world works and how it got that way. He’s written about the economy, investing, financial services, cryptocurrency, pharmaceuticals, mining, energy, cannabis, agriculture, consumer electronics, education, sponsorship marketing, and entertainment. He’s the author of TV North: Everything You Wanted to Know About Canadian Television.
The Canadian Family Offices newsletter comes out on Sundays and Wednesdays. If you are interested in stories about Canadian enterprising families, family offices and the professionals who work with them, sign up for our free newsletter here.
Please visit here to see information about our standards of journalistic excellence.