Protection — Keeping What You've Built

Chapter 8 of Running a Family Office Under $100M

Most founders spend far more energy growing wealth than protecting it.

Makes sense psychologically. Growth is exciting. Protection feels like admin. Nobody lies awake at night excited about their insurance coverage.

But preventing a £5M loss is equivalent to generating a £5M gain. Usually far easier. And the threats that actually destroy wealth have evolved faster than most founders' defences.

Twenty years ago, protection meant liability insurance and maybe a trust. Straightforward. Stable. Your solicitor handled it.

Today? The primary threat to your wealth might be sitting in your pocket.

The Threat That's Actually Growing

I'm going to spend most of this chapter on cybersecurity. Not because the traditional threats—litigation, divorce, health, family conflict—have disappeared. They haven't. But those threats are well understood. You know you need insurance. You know divorce is expensive. You probably have a will somewhere.

What most founders don't appreciate is how dramatically digital threats have grown, and how poorly protected most people are.

The numbers are stark. According to the UK Government's Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cyber security breach or attack in the past 12 months—approximately 612,000 businesses. Fraud incidents recorded by the Crime Survey for England and Wales increased 19% to 3.9 million incidents in the year ending September 2024. Fraud now accounts for an estimated 41% of all crime against individuals in England and Wales.

The attacks aren't sophisticated in the way you might imagine. No movie-style hacking. Just patient, methodical exploitation of weak points.

Conveyancing Fraud: The Property Transaction Trap

Between 1 April 2024 and 31 March 2025, 143 cases of conveyancing fraud were reported to Action Fraud, resulting in £11.7 million in losses. The average loss per residential case was £78,393—but commercial property frauds averaged £257,833 each.

Here's how it typically works. Criminals gain access to email chains between property buyers, sellers, and solicitors. They monitor traffic, learning the language, the timing, the players. Right before completion, they send wire instructions from what appears to be the solicitor's address. The email looks exactly right. The timing is exactly right. The sort code is one digit different.

By the time the discrepancy surfaces, the money is gone. Often unrecoverable.

Lloyds Bank reported a 29% increase in conveyancing scams in 2023, with victims losing an average of £47,000—and several cases exceeding £250,000. One documented case saw a victim lose £640,000 when criminals intercepted emails and provided payment details on headed solicitors' paper. Most of the money was never recovered.

About 45% of victims are aged 39 or under—first-time buyers who are particularly vulnerable because they're unfamiliar with the process. But experienced property investors are equally at risk. The criminals don't care about your sophistication; they care about the size of your transaction.

SIM Swapping: The 1,055% Surge

SIM swap fraud in the UK increased by 1,055% in 2024 according to Cifas, the UK's fraud prevention service. Nearly 3,000 cases were reported compared to just 289 in 2023.

An attacker convinces your mobile carrier to transfer your number to their SIM. Suddenly they receive your two-factor authentication codes. They reset passwords on your email, your bank, your brokerage. By the time you notice your phone isn't working, they're inside everything.

The attack can now be executed in under five minutes, particularly with eSIM technology. Mobile phone accounts were involved in 48% of all account takeover cases in 2024. Identity fraud related to mobile products surged 87%, representing over 16,000 cases.

Once criminals control your phone number, they control access to most of your financial life. This is what Merseyside Police calls a "gateway offence"—the entry point for broader fraud schemes.

Deepfake CEO Fraud: When Your Own Voice Betrays You

In February 2024, an employee at engineering firm Arup was tricked into wiring £20 million (HKD 200 million) to criminals. The attack involved a sophisticated multi-person video conference call featuring deepfaked, AI-generated likenesses of the company's CFO and other senior executives. The employee made 15 transactions to five bank accounts, believing he was following legitimate instructions from his colleagues.

This wasn't an isolated incident. Earlier, in 2019, a UK energy firm lost €220,000 when criminals used AI voice cloning to impersonate the CEO in a phone call. The voice matched perfectly—tone, accent, speech patterns—because modern AI can clone a voice with 85% accuracy using just 3-5 seconds of audio.

Deepfake incidents increased by 257% in 2024 compared to 2023. In the first quarter of 2025 alone, there were 179 incidents—surpassing the total for all of 2024. Financial losses from deepfake-enabled fraud exceeded $200 million in Q1 2025.

The WPP case is instructive. Scammers cloned CEO Mark Read's voice and used it on a fake Teams-style call to request credentials and fund transfers. The attack was caught, but only because employees noticed something felt off. Others haven't been so fortunate.

Business Email Compromise: The Silent Epidemic

93% of UK companies were targeted by fraud in 2024, according to Trustpair research. For 21% of businesses that suffered successful attacks, the average loss per incident was £500,000.

Nearly 88% of UK businesses identified cyber fraud as a significant driver of payment fraud. Tools like generative AI enable fraudsters to craft convincing business email compromise scams that mimic executives' communication styles, outpacing traditional detection measures.

Yet 70% of companies still rely on manual methods like callbacks and email-based validations—methods that sophisticated attackers have learned to circumvent.

What Actually Works

The good news: protection against most of this is cheap and straightforward.

Hardware Security Keys

Physical devices—YubiKey is the common one—that you plug into your computer or tap against your phone to verify login. They can't be phished because they verify the actual site you're connecting to. They can't be SIM swapped because there's no SIM involved. They cost about £50.

I consider this the single highest-leverage thing you can do. Set up hardware keys on your primary email and your main financial accounts. The friction is minor—you tap a device when logging in. The protection is substantial. Most of the attack patterns I described above fail completely against hardware keys.

The FBI and UK National Cyber Security Centre both recommend hardware keys over SMS-based two-factor authentication. Given that 42% of UK banks and 61% of crypto exchanges still rely on SMS-based 2FA, you're already ahead if you use hardware keys.

Separate Email for Financial Accounts

Not the address on your business card, your LinkedIn, every newsletter you've ever signed up for. Create an address that exists only for financial institutions. Hard to attack something attackers don't know about.

This simple step means that even if your main email is compromised, your financial accounts remain isolated. The attacker would need to find an email address they don't know exists.

Verbal Confirmation Protocols

Before any significant wire leaves your accounts, someone calls a known phone number—not one from an email, one you already have on file—to confirm. Every time. No exceptions because someone is in a hurry.

This simple friction has saved people from losing everything. The City of London Police explicitly recommends: "Always get your solicitor's bank details in-person or over the phone at the start of the conveyancing process, and request that any changes to these details be communicated in-person, by phone call, or by letter."

Talk to your bank about this. Talk to any advisors who might move money on your behalf. Establish the protocol before you need it.

SIM Lock

Call your mobile carrier and add a SIM lock. Require that any SIM changes happen in person with ID. Takes ten minutes. Defeats most SIM swapping attempts.

With eSIM technology making remote SIM swaps easier than ever, this protection is now essential rather than optional. Ask specifically about port-out protection and account security PINs.

Password Manager

Use a password manager with unique passwords everywhere. You know you should. You probably don't do it consistently. One password reused across sites means one breach exposes everything.

All of this costs almost nothing. Maybe £100 and a few hours total. The asymmetry is absurd—minimal effort protecting potentially millions.

Insurance: Shorter Than You'd Expect

Insurance is boring but essential. I'll keep this brief because the main points land quickly.

Most founders are underinsured relative to their wealth. Policies appropriate at £500K net worth don't protect £15M. But policies don't automatically scale.

Personal Liability (Umbrella Coverage)

This is the main gap. Standard home and motor policies in the UK typically cap liability at £2–5 million—which sounds like a lot until you consider a serious accident involving multiple injuries or fatalities.

High-net-worth insurance providers like Chubb, AXA XL, Hiscox, and Ecclesiastical offer personal liability limits of £10 million or more. These policies also cover situations standard policies often exclude: liability from domestic employees, worldwide coverage, defamation claims, even some cyber incidents.

The UK insurance market softened in 2024, with Aon reporting potential pricing reductions of 11–20% across many key classes. D&O insurance saw rate reductions averaging 10–15%. It's a good time to review and potentially increase coverage.

If you have £15M in liquid assets and £2M in liability coverage, that maths is uncomfortable. A serious multi-vehicle accident, a guest injured at your property, an employee lawsuit—any of these can exceed standard limits.

Other Coverage Gaps

D&O insurance if you sit on boards—essential now that companies are scrutinising sustainability, AI use, and cyber exposure. The buyer-friendly market means you can often get better terms than even a year ago.

Life insurance sized to current situation rather than a decade ago. With IHT frozen at 40% above £325,000 (now until at least 2030), life insurance written into trust can help beneficiaries meet the liability without liquidating the estate.

Property coverage that reflects current rebuild values. The 2024 market saw significant property revaluations, and insurers were generally willing to accommodate increased limit purchases.

Cyber insurance for any business interests—increasingly important as claims costs rise and underwriting tightens.

Finding the Right Broker

The UK has several high-net-worth specialist providers: Chubb, Hiscox, AXA XL Private Clients, Ecclesiastical Private Client Group, Zurich Private Clients, Aviva Private Clients. An independent broker who works across these providers can identify the best combination of coverage and price.

Annual review takes an hour. Catches drift before it matters.

Asset Protection

We covered structure in Chapter 3, so won't repeat all of it. A few protection-specific points.

The basic principle: assets in your personal name are fully exposed to personal liability. Assets in properly structured entities have some protection. Operating activities should sit in separate entities from investment assets so a problem in one doesn't reach the other.

Trusts can provide protection if established before any claim arises. You can't transfer assets to escape an existing lawsuit. But a trust set up years earlier may protect assets from future claims. The rules are complex—particularly since the April 2025 shift from domicile-based to residence-based IHT—and specialist advice is essential.

Prenuptial and postnuptial agreements deserve mention. Uncomfortable to discuss, essential to consider. Much easier to negotiate when everyone's happy than when they're not. The courts now give significant weight to properly drafted agreements, especially where both parties had independent legal advice.

None of this prevents all claims. Someone determined enough can pursue you regardless of structure. But proper structure raises the cost and effort, which often changes the calculation for potential claimants.

Succession

Two scenarios: you die, or you're alive but can't manage your affairs. Both happen. Neither respects your schedule.

You need basic documents—will, lasting powers of attorney (financial and health & welfare), advance decision. If you have documents from years ago and your situation has changed significantly, they need updating.

But the document most people don't have is a complete asset inventory. Where everything is. Account numbers, institutions, contacts, access information.

Your knowledge of your own finances is a liability if it's not documented.

You know where everything is. You know the account at the Swiss bank and the crypto on the hardware wallet and the relationship manager at the private bank. Nobody else does.

If something happens to you, your family starts from zero. They discover accounts months later. They miss deadlines because they didn't know obligations existed. They leave money on the table because they didn't know it was there.

The Numbers on Wealth Transfer

UK wealth expected to be passed to younger generations could reach £5.5 trillion by 2047, according to M&G research. The average IHT bill where estates are liable stood at £215,000 in 2021-22—and projections only point upward as frozen thresholds meet rising asset values. HMRC collected £7.5 billion in IHT receipts in 2024.

The Saffery succession survey found that 42% of estate owners representing combined values over £300 million acknowledged they don't have a plan to prepare the next generation to run the family estate. This presents significant risk to long-term viability.

A founder's widow spent eighteen months trying to piece together her husband's finances after he died suddenly. He'd had everything in his head. Multiple banks, investment accounts, private investments, crypto wallets. She found accounts over a year later that nobody knew existed. Some she probably never found.

Create a master document. Everything you own, where it's held, how to access it. Update it annually. Store it somewhere your executor can find. Tell someone it exists.

If you got hit by a bus tomorrow, could your spouse find everything within a week? If the answer is "probably not," that's the work.

The Actual Priorities

I've given unequal attention to different threats in this chapter deliberately.

Cyber protection is the gap. Insurance and estate documents, most founders know they need. They might procrastinate, but the awareness exists. Cyber is different—people either dismiss it ("I'm not important enough to target") or assume it's handled ("I have good passwords"). Neither is true and the hackers are getting more sophisticated day by day. 

This week: Set up hardware security keys. It takes twenty minutes. Everything else can follow.

This quarter: Review insurance with a broker. An hour of their time identifies the gaps.

This quarter: Update your estate documents if they're stale. Create an asset inventory if one doesn't exist. The IHT changes from April 2026 (reduced BPR/APR relief) and April 2027 (pensions in estates) make this more urgent than it was.

When ready: Structure assets properly if you haven't already. Chapter 3 covers this.

The goal is covering the downside so you can focus on upside with confidence. Founders who know their protection is solid think differently. They take calculated risks without background anxiety about catastrophic loss.

Protection is boring. Do it anyway.

← Back to Chapter 7: Building Your Advisory Team

Continue to Chapter 9: Governance and Decision-Making →