Playbook 6

Vendor & advisor-chain breach

The breach isn't yours — it's your accountant, lawyer, fund administrator, bill-pay provider, or wealth platform. Their compromise exposes your K-1s, wire instructions, and family data.

The hard truth

You outsource the work, but you never outsource the consequences — the family's data leaks through whichever vendor is weakest.

The first hour

  1. 1

    Get the facts: what data of yours did the vendor hold, and what was accessed?

  2. 2

    Invoke breach-notification and indemnity clauses in the engagement contract.

  3. 3

    Rotate every credential shared with or through that vendor.

  4. 4

    Assume wire and banking threads are compromised; re-verify all in-flight instructions.

  5. 5

    Notify custodians and counterparties who touch the same data.

Stop the next one

  • A vendor inventory: who holds what family data, and their security posture.
  • SOC 2 (or equivalent) on file for every vendor touching money or family data.
  • Contract clauses for breach notification, indemnity, and data deletion.
  • Least-privilege access — vendors get only the data they actually need.

Questions we hear