Cybersecurity and Data Privacy for Trustees: Protecting Assets

Trustees handle sensitive personal data, financial records and instructions about beneficiaries’ assets and distributions. These assets are attractive targets for cybercriminals seeking to commit fraud, steal identities or divert funds. Recent statistics illustrate the scale of the threat: a 2023 analysis of email attacks found that the financial services industry received roughly 200 advanced attacks per 1,000 email boxes each week, with business email compromise incidents jumping 71% and vendor email compromise incidents soaring 137%. These attacks often involve impersonating executives, trustees or vendors to trick staff into changing wire instructions or authorizing fraudulent transactions.

Cyber incidents have shifted from hypothetical to real. Cyber claims within the trustee world are no longer speculative. In one example, criminals monitored a trust company’s email, waited for a busy day when recurring distributions were requested, then sent a spoofed email directing the bank to change wire instructions. By the time the trustee realized the scam, the funds were gone. Such incidents can be catastrophic for trust companies and family offices: they disrupt operations, expose private client information and erode beneficiary trust.

Cyberattacks are not limited to banks. Ransomware gangs have targeted file‑transfer software, exploiting zero‑day vulnerabilities to access and exfiltrate sensitive data. In the 2023–2024 MOVEit breach, a Russian ransomware group used an unknown flaw to break into a file transfer application used by pension systems across multiple states, compromising data on nearly 1.2 million participants and beneficiaries. The U.S. Department of Labor (DOL) considers cybersecurity failures a breach of fiduciary duty; in 2024 it warned ERISA fiduciaries to evaluate their cyber posture and updated its guidance to apply to all types of plans. Although ERISA rules apply to retirement plans, the principles of fiduciary duty and cyber risk management are equally relevant to trusts.

Fiduciary duty in the digital era

A trustee’s core obligation is to act in the best interests of beneficiaries and protect trust assets. In the digital age, this duty extends to protecting sensitive data and funds from cyber threats. Failure to implement reasonable cybersecurity measures, respond promptly to breaches or oversee third parties’ handling of data can constitute a breach of fiduciary duty. The DOL’s guidance for retirement plans calls for formal cybersecurity programs, risk assessments, third‑party audits, strong access controls, patch management, incident response planning, training and vendor oversight. Trustees should adopt similar best practices.

Building a robust cybersecurity program

1. Training and awareness

Human error remains the leading cause of cyber loss. Trustees should provide regular cybersecurity awareness training for themselves, employees and agents. Training should cover phishing recognition, secure password practices, generative AI‑based scams, and the importance of verifying instructions through a secondary channel. Awareness of evolving tactics, such as deepfake audio or AI‑generated emails, helps staff remain vigilant.

2. Strong authentication and secure communications

Implement multi‑factor authentication (MFA) across all systems that store or transmit sensitive data. Encourage the use of password managers and strong, unique passwords. All electronic communications involving wire instructions or distribution requests should be encrypted and confirmed through a second channel—usually a telephone call or secure portal. Never rely solely on email to authorize changes in payment instructions.

3. Vendor and third‑party management

Trusts often rely on accountants, investment advisors and software providers. These third parties present cybersecurity risks if they handle trust data. Contracts with vendors should include provisions requiring robust cybersecurity controls—such as phishing‑resistant MFA, data encryption, intrusion detection and timely breach notification. Trustees should conduct risk assessments to evaluate how vendors connect to trust systems, what data they access and how they safeguard it. If a vendor cannot meet these standards, trustees should consider terminating the relationship.

4. Regular risk assessments and monitoring

A formal risk assessment identifies vulnerabilities, rates their severity and informs remediation priorities. This process should consider all devices, applications, networks and users with access to trust data. Assessments are not a one‑time exercise; they should be performed periodically and whenever new technologies or vendors are introduced. Between assessments, trustees should monitor accounts and systems for unusual activity, unauthorized access attempts or unexpected file transfers.

5. Incident response planning

No organization is immune to cyber incidents. An effective incident response plan outlines the steps to take when a breach or fraud is suspected. Key elements include designating an internal team, engaging cyber insurance carriers and legal counsel, and retaining a forensics vendor. Immediate notification to banks and law enforcement can increase the chances of recovering stolen funds. The plan should also address data breach disclosure requirements and communications with beneficiaries to maintain transparency and trust.

6. Insurance coverage

Cyber insurance can cover the costs associated with breaches, including forensic investigations, legal fees, ransom negotiations and notification expenses. Trustees should evaluate whether existing professional liability policies include cyber coverage or whether a separate cyber policy is needed. Policies should align with the organization’s risk profile and may require certain security measures as a condition of coverage.

Protecting beneficiary data and funds

In addition to technical measures, trustees should implement policies and procedures to protect beneficiaries’ personal information. This includes limiting access to sensitive data to only those who need it, anonymizing data where possible and destroying records securely when no longer needed. Trustees must be especially careful when handling minors’ information, medical records or financial account numbers. Data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and various state privacy statutes may apply depending on where beneficiaries reside or where the trustee operates.

Trustees should also educate beneficiaries about cybersecurity. Beneficiaries who receive distributions electronically should be warned about phishing scams, asked to verify changes in payment instructions and encouraged to secure their own email accounts with MFA. This collaborative approach reduces vulnerabilities in the chain of communications.

Staying ahead of evolving threats

Cyber threats are dynamic. Criminals continually exploit new technologies and social engineering techniques. Trustees must stay informed by subscribing to cybersecurity newsletters, participating in industry forums and engaging IT professionals for guidance. Regular penetration testing and vulnerability scanning can reveal weak points before criminals exploit them. Updating software promptly and replacing unsupported systems reduces exposure to known exploits.

Conclusion: Embracing digital stewardship

Trustees are stewards not only of assets but also of data. In an era where cybercrime outpaces traditional theft, protecting that data is a core fiduciary responsibility. By understanding the risks, implementing robust security measures and fostering a culture of vigilance, trustees can significantly reduce the likelihood of a breach. Should an incident occur, a well‑prepared response can limit damage and preserve beneficiary trust. As digital tools continue to transform trust administration, cybersecurity and data privacy must become as integral to the trustee’s duties as prudent investing and impartial distribution.