Resilience moved from the appendix to the headline
UBS just put a word wealth-management founders have been underusing at the centre of its flagship report. The 2026 Global Family Office Report, out 28 May, frames the whole year around resilience. For a startup competing against incumbents on trust, that reframing is an opening. The firms that can demonstrate, not just claim, that they recover from disruption will win allocations the brand names assume are already theirs.
UBS reframes the year around resilience
The report surveyed 307 family offices averaging USD 2.7bn and found them prioritising resilience and diversification over chasing yield. It also found cybersecurity is mostly outsourced rather than run in-house. For a WM founder that is a build-vs-buy signal. Clients no longer expect you to own a security operations centre, but they do expect you to own the governance around the vendor who does. Owning the contract, the testing schedule and the recovery plan costs far less than owning the stack, and it is the part principals actually ask about. UBS Global Family Office Report 2026
A breach wave is hitting the advisers, not just the banks
ShinyHunters claims it took 641,000 records from Pathstone, after similar hits on Mercer Advisors and Beacon Pointe. These are advisory firms, not retail banks. The lesson for founders in London and Zurich is uncomfortable: attackers are going after the exact trust relationship a new manager is trying to build. One disclosed breach can undo years of relationship-building, and a young firm has no brand equity to absorb the hit. Incident-response readiness is not an IT line item. It is reputational insurance. Cybernews
Regulators in two of your three markets now assume resilience
FINMA’s Guidance 05/2025 set 1 January 2026 as the date every supervised firm must show it can withstand and recover from disruption, whatever its size. In the UK, 2026 is the first full “steady-state” year for the FCA’s operational-resilience regime, and the regulator published self-assessment observations in March. A founder raising in both markets can treat this as a moat: documented impact tolerances and tested recovery are a licence condition and a credible pitch differentiator at the same time. FINMA operational resilience 2026, FCA observations
The offshore leg carries its own cyber expectations
If your structure touches Cayman or Bermuda, the regulators there have caught up. CIMA’s cybersecurity Rule and Statement of Guidance, reinforced by its thematic review, sets baseline controls for regulated entities, and Bermuda’s BMA expects a cyber risk self-assessment inside annual prudential returns. Founders treating offshore vehicles as low-governance shells are mispricing the risk. Ogier on CIMA cybersecurity review
AI raises the floor on fraud
Deepfake fraud attempts are up more than 2,000% over three years, voice cloning is up 680%, and the average loss now tops USD 500,000. The trusted call from a known adviser, the founder’s core service, is now the attack surface. Verification that does not rely on recognising a voice is worth building before the first incident, not after. Percepture
This week, the Family Wealth Report Cybersecurity Forum on 11 June will show where peers are spending. The takeaway for founders: resilience has stopped being a cost centre you defend in a board meeting. It is a line you can put in a pitch, and increasingly the one principals read first.