The Softest Target on Wall Street

On February 27, a ransomware group gave Pathstone Family Office seventy-two hours. It was not the first family office they came for. It will not be the last.

The message appeared on a dark web leak site on a Thursday. It was addressed to Pathstone Family Office, a wealth management firm serving high-net-worth families, and it was blunt. The extortion group ShinyHunters claimed to have stolen more than 641,000 records containing personally identifiable information and internal corporate documents. Pathstone had until March 2 to respond. If it didn't, the data would be published, followed by what the attackers described, with a kind of clinical menace, as "several annoying digital problems."

This was not an isolated incident. In the weeks prior, ShinyHunters had made similar claims against Mercer Advisors and Beacon Pointe Advisors — two of the highest-ranked registered investment advisory firms in the United States, managing approximately $92 billion and $62 billion in client assets, respectively. Beacon Pointe confirmed unauthorized network access between January 30 and February 1, 2026, disclosing that compromised information included Social Security numbers, driver's license numbers, and financial account details. ShinyHunters subsequently published what it claimed was stolen data from both firms on the dark web after its demands were not met.

The pattern is now unmistakable. In the first two months of 2026 alone, ShinyHunters — a group that Google's Mandiant threat intelligence team has confirmed is running an "active and ongoing" campaign — has targeted more than a dozen organizations through a consistent playbook: voice-phishing employees to steal single sign-on credentials, exfiltrating data, and then issuing public deadlines. Their victim list reads like a cross-section of the economy: Panera Bread, Harvard, Bumble, SoundCloud, Betterment, CarGurus. But the financial advisory sector has emerged as a particular focus. And for a reason that should concern every family office principal reading this: the wealth management industry combines extraordinarily sensitive data with, in many cases, extraordinarily thin defenses.

The numbers that should keep you awake

The Deloitte and Campden Wealth Family Office Cybersecurity Report, published in early 2025, surveyed family offices globally and produced findings that read less like a risk assessment and more like an open invitation. Forty-three percent of family offices had experienced a cyberattack in the preceding twelve to twenty-four months. Among those, a quarter had been attacked three or more times. The figures were worse for larger offices and for those based in North America: 57 percent of North American family offices reported an attack, and 62 percent of offices managing more than a billion dollars in assets had been targeted.

But the real story is not in the frequency of attacks. It is in the preparedness — or, more precisely, the absence of it.

Nearly one-third of family offices surveyed — 31 percent — had no cyber incident response plan at all. An additional 43 percent acknowledged that their plan "could be better." Only 26 percent claimed to have a robust plan in place. Sixty-three percent lacked cybersecurity insurance. Fifty percent had no disaster recovery plan. Sixty-eight percent had not adopted "know your vendor" protocols for their third-party service providers.

Strip away the percentages and what you find is this: the majority of single family offices managing multi-generational wealth — entities holding assets that in many cases rival small sovereign wealth funds — do not have a documented plan for what to do if a ransomware group calls.

Deloitte's follow-up research, published in January 2026, expanded the aperture to family businesses more broadly and found the picture no better. Nearly three-quarters — 74 percent — of family businesses globally had experienced at least one cyberattack in the past two years. Among those attacked, the damage was near-universal: 54 percent reported financial loss, 51 percent operational disruption, and 51 percent reputational harm. Only 4 percent reported no damage whatsoever.

Why family offices, and why now

The targeting of family offices is not random. It follows a cold, recognizable logic.

First, the data is extraordinarily valuable. A family office's systems contain not just financial records but the complete architecture of a family's private life: trust structures, estate plans, tax returns, real estate holdings, private investment agreements, personal communications, medical information, and — in many cases — the personally identifiable information of family members across multiple generations. For a criminal enterprise operating a double-extortion model — where the threat is not just encryption of systems but publication of stolen data — a family office offers leverage that few other targets can match. The reputational damage alone can be catastrophic. Unlike a public corporation, which can issue a press release and absorb a stock price hit, a family office's entire value proposition is discretion. Once that is compromised, the damage is structural.

Second, the defenses are often thin. Family offices are, by design, lean organizations. The Deloitte research found that most rely on basic first-line controls — strong passwords and multi-factor authentication at 85 percent, data backups at 72 percent — but far fewer have invested in the advanced protections that actually prevent sophisticated attacks. Only 34 percent conduct cybersecurity maturity assessments. Only 58 percent provide staff cybersecurity training. The result is an asymmetry that attackers understand well: high-value data behind low-cost walls.

Third, the attack surface has expanded. The ShinyHunters campaign is illustrative. The group does not exploit exotic zero-day vulnerabilities. It voice-phishes employees — calling them directly, sometimes using AI-cloned voices — to steal single sign-on credentials for platforms like Okta, Microsoft Entra, and Google Workspace. Once inside the SSO environment, a single compromised credential becomes, as one cybersecurity researcher put it, "a master key to downstream applications and data stores." In an era when even large enterprises struggle to defend against social engineering, a family office with six employees and no dedicated security team is at a severe structural disadvantage.

The cost of complacency

IBM's Cost of a Data Breach Report, published annually, provides the clearest benchmark for what these incidents actually cost. The 2024 edition found that the global average cost of a data breach reached $4.88 million — a 10 percent increase from the prior year and the largest single-year jump since the pandemic. For financial services firms specifically, the average was higher still: $6.08 million, some 22 percent above the global mean.

But these averages, derived primarily from large corporate breaches, may actually understate the impact on a family office. A public company can spread breach costs across a massive revenue base and recover customer trust through marketing and disclosure. A family office has neither the scale nor the appetite for public exposure. When Beacon Pointe disclosed its breach to the Massachusetts Office of Consumer Affairs, it reported that compromised data included Social Security numbers and financial account information. For a firm whose clients entrust it with their most private financial details, that disclosure represents something that no dollar figure fully captures.

The costs compound in less visible ways. Post-breach forensic investigations. Legal counsel across multiple jurisdictions. Regulatory notifications. Credit monitoring for affected individuals. Insurance claims — for the minority that have coverage. And then the long tail: the erosion of trust that makes existing clients reconsider the relationship and prospective clients look elsewhere. For a family office, where relationships are measured in decades and reputations are measured in generations, a single breach can permanently alter the institution's trajectory.

The governance failure behind the technical one

There is a temptation to treat cybersecurity as a technical problem — a matter of firewalls and penetration testing and software patches. It is not. Or rather, it is not only that.

The deeper failure exposed by the current wave of attacks is one of governance. In many family offices, cybersecurity does not have a seat at the governance table. It is not discussed at investment committee meetings. It is not part of the family constitution or the operational charter. It is delegated to whoever manages the IT — often a single person or an outsourced provider whose mandate is to keep systems running, not to anticipate threats.

This is the equivalent of building a vault to store a family's most valuable assets and then handing the keys to someone whose job description is "maintain the building." It is not that the person is incompetent. It is that they were never given the mandate, the budget, or the authority to do what the situation actually requires.

The shift that is needed is conceptual before it is technical. Cybersecurity in a family office must be treated as a governance function — equivalent in importance to investment policy, succession planning, and regulatory compliance. It belongs in the principal's direct line of sight, not three layers below it.

What acting on this actually means

For a family office that has not yet made this shift, the path forward is neither obscure nor prohibitively expensive. It begins with five steps, none of which require a seven-figure technology budget.

The first is an honest assessment. Engage a qualified cybersecurity firm to conduct a maturity assessment of the office's current posture. This is not an IT audit. It is a structured evaluation of people, processes, and technology against a recognized framework. The goal is not to produce a passing grade but to produce a clear picture of where the vulnerabilities actually are.

The second is an incident response plan — written, tested, and accessible. The Deloitte data is damning on this point: 31 percent of family offices have no plan at all. An incident response plan does not need to be complex, but it must answer specific questions: Who is called first? Who has authority to shut down systems? Who communicates with the family? Who communicates with regulators? How is evidence preserved? Who manages the relationship with law enforcement? Without a plan, the first hours of a breach — the hours that matter most — are consumed by confusion.

The third is cybersecurity insurance. Sixty-three percent of family offices lack it. The process of obtaining coverage is itself valuable: insurers require applicants to demonstrate baseline security controls, which forces the office to meet a minimum standard. The policy then provides financial backstop for the costs that even well-prepared organizations cannot fully prevent.

The fourth is vendor governance. Family offices depend heavily on third-party providers — custodians, fund administrators, legal counsel, IT service providers — each of whom has access to some portion of the family's sensitive information. The ShinyHunters campaign exploited SSO platforms precisely because they are shared infrastructure: one compromised provider can expose dozens of downstream clients. Knowing your vendor's security posture, and requiring contractual commitments to minimum standards, is not excessive diligence. It is basic prudence.

The fifth is training. Ninety-three percent of cyberattacks on family offices begin with phishing. The most advanced firewall in the world is irrelevant if a staff member clicks a malicious link or provides credentials to a voice-phishing call. Regular, scenario-based training — not a once-a-year compliance video — is the single most cost-effective defense available.

The question that matters

The Pathstone breach — alleged or confirmed, the distinction matters less than the signal — arrives at a moment when family offices can no longer treat cybersecurity as someone else's problem. The threat actors have identified the sector. They understand its vulnerabilities. They have demonstrated, repeatedly, that they will act on that understanding.

The question for every family office principal is not whether they are a target. The Deloitte data has answered that: 43 percent have already been hit, and the actual figure is almost certainly higher, given that many breaches go undetected. The question is whether, when the message appears on the dark web — addressed to their office, naming their firm, counting down from seventy-two hours — they will have done the work to respond.

The offices that have will navigate the crisis. It will be expensive, disruptive, and deeply unpleasant. But they will emerge with their data recoverable, their obligations met, and their reputation intact.

The ones that haven't will learn something that the families they serve already know: that the most consequential risks are not the ones you can see coming. They are the ones you chose not to prepare for.

This is the third installment of The Prominent Dispatch, a biweekly series on the convergence of capital strategy and operational technology in the family office sector.

Sources and verification notes:

All statistics and events cited in this article are drawn from identified, published sources:

• Pathstone Family Office ransomware claim: ShinyHunters claimed breach on Feb 27, 2026, threatening to release 641,000+ records by March 2. Reported by Cybernews, RedPacket Security, Undercode News, and tracked on Ransomware.live. As of publication, Pathstone has not publicly confirmed or denied the breach.

• Mercer Advisors and Beacon Pointe Advisors breaches: ShinyHunters claimed responsibility in mid-February 2026, alleging 5M records (Mercer) and 100K+ records (Beacon Pointe). Beacon Pointe confirmed unauthorized access Jan 30–Feb 1, 2026, disclosing SSN, driver's license, and financial account exposure to the Massachusetts Office of Consumer Affairs (Feb 20, 2026). ShinyHunters subsequently published claimed stolen data. Reported by Cybernews, FA Magazine, ClassAction.org, The Register.

• ShinyHunters campaign scope: Voice-phishing SSO credentials (Okta, Microsoft, Google). Mandiant (Google) confirmed campaign is "active and ongoing." Wikipedia entry documents 15+ victims in Jan–Feb 2026. Additional reporting from Malwarebytes, The Register, State of Surveillance.

• Deloitte/Campden Wealth Family Office Cybersecurity Report 2024: 43% of FOs experienced cyberattack in past 12–24 months; 25% hit 3+ times; 57% of North American FOs attacked; 62% of $1B+ AUM offices attacked; 31% lack incident response plan; 26% have "robust" plan; 63% lack cyber insurance; 50% lack disaster recovery plan; 93% of attacks begin with phishing; 85% use MFA; 58% provide staff training; 34% conduct maturity assessments. Published Jan 2025, Deloitte Global.

• Deloitte Family Business Cybersecurity 2026: 74% of family businesses experienced at least one cyberattack in past 2 years; 54% financial loss, 51% operational disruption, 51% reputational harm; only 4% reported no damage. Based on 1,587 family businesses across 35 countries. Published Jan 29, 2026.

• IBM Cost of a Data Breach Report 2024: Global average $4.88M (10% YoY increase); financial services average $6.08M (22% above global mean). Based on 604 organizations, 17 industries, 16 countries. Published by IBM/Ponemon Institute, July 2024.