7 questions every family office should be asking in an increasingly complex risk landscape

In a recent podcast between Ocorian and Toro Solutions, Michael Harman and Peter Connolly discussed the increasingly complex risk landscape facing family offices today.

This article offers practical, field-tested advice that stems from Toro’s direct experience defending some of the most discreet and high-value organisations in the UK and internationally.

Here are seven key questions we believe every family office should be asking today.

1. Do we understand what our most critical assets are, and where they actually are?

Most family offices do not maintain a formal asset or risk register. The starting point for effective security is to identify what matters most. This could include financial data, key personnel, property, investment records, family archives, digital assets, or reputation. Knowing where these assets are stored and who has access is vital. Without clarity, it is impossible to protect what you cannot define. Building a live, working register of critical assets is the foundation for every other risk decision. This register should be continuously reviewed and include both tangible and intangible assets. In our experience, reputation and relationships often prove as critical as data and documents. Without visibility, teams can default to assumptions, which can leave key areas overlooked.

2. Who currently has access to our systems, data and infrastructure?

Access control is a common weak point. Former IT suppliers, consultants, or staff often retain access long after their departure. Administrative permissions can be overlooked, especially in smaller teams where roles overlap. Poorly managed access rights can result in sensitive data or infrastructure being exposed unnecessarily. A quarterly privileged access review is a practical and effective measure to ensure only the right people retain access to critical systems.

This process should include not only digital systems but also physical locations. How many people have keys, door codes, or alarm access? Is there an approval process for changing these? Even trusted individuals may become security risks unintentionally, especially when roles or responsibilities change over time.

3. What is our outsourced IT provider actually doing to keep us secure?

A functioning IT system does not necessarily mean a secure one. In our audits, around 80% of outsourced providers were not maintaining basic security hygiene. This includes patching, backup validation, endpoint monitoring, and incident alerting. Family offices often assume security is included as part of the service, but this is rarely the case. Consider commissioning a third-party security audit to verify assumptions. It is also worth clarifying what your provider would and would not do in the event of a breach. 

It is important to move beyond assumptions. We have seen cases where the provider claimed certain protections were in place, only to discover they were misconfigured or not enabled at all. Reviewing contracts, service level agreements and asking for written confirmation of key controls can help build accountability.

4. Have we ever tested our people and systems under real-world conditions?

Security controls must be validated. Red teaming or penetration testing can reveal gaps that would otherwise go unnoticed. These exercises can include phishing simulations, physical intrusion tests, and social engineering attempts. We frequently uncover vulnerabilities in areas where clients feel most confident. Human behaviour is often the weakest link. Even well-trained teams can be caught off guard by a convincing impersonation, spoofed email, or staged emergency. Regular testing helps build confidence and capability.

Beyond technical results, red teaming exercises also provide insight into organisational culture. How do people react to pressure, ambiguity, or urgency? Do escalation paths work in practice? Is leadership informed quickly enough to act decisively? These insights are invaluable when planning training, communication strategies, and crisis response protocols.

5. Are we aligned on our actual risk appetite as a family and a business?

Unlike corporates, family offices often include multiple generations with varying comfort levels around risk and technology. Principals may favour discretion and tradition, while younger family members may be more comfortable posting about their lives online. These tensions can create blind spots. Without alignment, it is difficult to set consistent standards. A facilitated risk workshop can help to bring clarity on this as it creates space for discussion, establishes shared values, and sets the tone for future decision-making.

It is also important to revisit this conversation periodically. As circumstances change whether through travel, relocation, investment, or succession so too does your risk posture. Aligning appetite and reality ensures decisions are proportionate and intentional, rather than reactive.

6. Is anyone actively managing our digital footprint?

Most attacks begin with online reconnaissance. Much of the data used in targeting principals or staff is publicly available. This could include social media, historic blog posts, breach data or even old press coverage. Monitoring what is available online and implementing basic digital hygiene measures is an easy win. We recommend regular reviews of online presence, alerting for data leaks or impersonations, and setting clear guidelines on digital exposure for family members and staff.

Digital footprint management should be a routine process, not a one-off exercise. Family members are often surprised by how much of their personal history can still be found online. Search engine results, archived material, and third-party sites all contribute to a narrative that attackers can manipulate. Training family members and assistants on privacy controls and media awareness can further reduce exposure.

7. If an incident occurred tomorrow, would we know who to call, and would they answer?

Many family offices are surprised to learn their IT provider may not prioritise them during a breach, particularly when larger clients are affected. Without a clear incident response plan and named contacts, time is lost and damage increases. We have seen incidents escalate simply because the wrong people were contacted first, or no one could confirm who was responsible. Every office should have a tested response plan, with named individuals, roles, and contact chains clearly defined. The plan should include technical responders, legal advisers, insurers, PR advisers (if needed), and trusted contacts within the family. It is also critical to rehearse the plan. Tabletop exercises help uncover gaps and build muscle memory. In a real crisis, even a few hours of delay can lead to irreversible consequences.

Toro’s message was that strong security should be proportionate, discreet, and enabling not restrictive. It should evolve alongside your ambitions and adapt to the shifting threat landscape.

From awareness to action

Ultimately, security is not a fixed state but an ongoing process of adaptation. The questions outlined here are not a checklist to complete once, but a framework to revisit regularly. Risks evolve, priorities shift, and systems age. A family office that stays curious, challenges assumptions, and invests in readiness is far better positioned to respond with confidence when it matters most.

To listen to the full interview, please click here.

Ocorian

Ocorian are experts in looking after complex, high-value structures for family offices, family businesses and ultra-high-net-worth individuals across the globe. We cross borders to protect, preserve and administer our clients’ financial affairs, offering sophisticated solutions regardless of where you or your assets are located or what stage of the wealth lifecycle you find yourself. We remove administrative headaches, minimise friction, stay ahead of regulatory change and use tech-enabled solutions to ensure your wealth is safeguarded with accountability, so you can focus on what matters most.