Skip navigation
cybersecurity HYWARDS/iStock/Thinkstock

Trustees and Cyber Liability

What steps can be taken to mitigate the risk?

Trustees face unique cybersecurity challenges due to the sensitive information that’s shared among a wide array of advisors, trustees and beneficiaries. Trustees and beneficiaries alike may be targeted by cyber criminals desiring access to sensitive financial, strategic or operational data.  Many consider the management of cyber risks to be a responsibility of the trustee because the trust is the primary vehicle used to hold assets that are passed from one generation to the next.  

Personal Liability

Trustees face personal liability arising out of a breach of fiduciary duties. There are two main fiduciary duties: the duty of loyalty, which puts the beneficiaries’ interest before all other interests, including the trustees and the grantor, and the duty of care, which relates to the careful and prudent management of assets. These fiduciary duties may include ensuring adequate protections are in place to protect the beneficiaries’ data. 

The Risks

Corporations are being hacked or attacked daily and cybercrime is on the rise, so how can trustees be expected to manage this risk?  Corporations have cybersecurity policies and procedures that apply to all employees, contractors and business partners.  Trustees need to follow suit and extend their cybersecurity and data protection policies and procedures to all recipients of sensitive data. Herein lies the difficulty.

Trust data is often shared with a wide range of recipients, including family members of varying ages, who may use various technology devices and access data while in wireless hotspots or on yachts or trains, in schools, restaurants, sports clubs or work environments. They may share devices or passwords with friends or family members and post information on social media about themselves or family members, including where they are or their planned activities.

There’s also the risk that family members may be tricked by social engineering scams that download malware to personal devices or enable access to sensitive data. Geolocation data may also be obtained from mobile devices, wearable technology and photographs used to pinpoint a family member’s whereabouts. Such data may be fed through algorithms to predict a beneficiary’s future movements or their daily routine. Recent headlines about Russians using Facebook data and political campaigns to manipulate voters provide a glaring example of how predictive analytics can use this data for nefarious purposes. 

Steps to Mitigate Risk

While no strategy can completely eliminate a trustee’s exposure to liability, there are actions that fiduciaries and wealth owners can take to mitigate and transfer cyber-related risks. Special analysis is required to determine:

  • How and what data is shared with advisors, third parties and family members.
  • The ages of the people receiving it, their use of technology and the accessibility they require.
  • The physical and cybersecurity measures currently in place. 

Once the analysis is completed, it’s critical that the trustee develop a data protection plan and policies and procedures. Too often plans are created but not fully implemented; it’s important the trustee’s data protection plan be integrated into its organization’s cybersecurity program and fully extended to all recipients of data. Full implementation will require obtaining certain :greements from all recipients, which may include contractual agreements and training programs. 


Today, the wealth management industry is changing rapidly, more wealth is being passed and structures are becoming more complex. Thus, there’s more opportunity for mistakes to be made with respect to data protection, increasing the risk of litigation. Consequently, there needs to be a better balance between risk and insurance.

Although insurance professionals can better prepare fiduciaries and advisors to reduce their risk, cyber risks can never be eliminated entirely. As a result, trustees and other fiduciary service providers should be able to purchase appropriately structured insurance policies. It takes a blend of cyber and insurance expertise to identify the risks unique to each organization and properly design insurance policies.

Managing trustee cyber risks requires a thorough understanding of both the operational and legal frameworks that govern the actions of the fiduciaries and advisors with the data flows to recipients. This knowledge will enable cyber experts to identify potential cyber risks and allow insurance professionals to determine appropriate types and limits of cyber insurance coverage necessary to manage the trustees’ and advisors’ cyber risks.

When identifying these risks, it’s important to consider:

  • Insurance should be able to advance defense costs when the trust can’t or won’t.
  • Knowledgeable support and assistance should be available once a potential claim is realized.
  • Access to accomplished, independent lawyers and experts should be available whenever claims are made.
  • Funds will be available to pay damages if fiduciaries make a mistake that causes damage to the beneficiaries.

The Best Path Forward

Enlist an experienced team of advisors, including insurance professionals and cybersecurity experts, to conduct a risk assessment to help you identify the cyber risks associated with trust operations and the fiduciary role of each advisor. They’ll  know where the claims can come from, what to look for in terms of risk and how to structure insurance to protect you.


Judith L. Pearson, President & CEO of Nomadx Solutions, is a seasoned insurance industry expert who helps family offices, trustees and advisers understand and mitigate risk related to wealth transfer structures. 

Jody R. Westby, CEO of Global Cyber Risk, is an attorney and cybersecurity consultant who specializes in cyber risk assessments, incident response planning, cyber governance, and digital inventories and data mapping.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.