PMR-2026-0619-GLBL-006 · Defense & Security Intelligence
A cyber breach forces a physical shutdown; a phone call defeats a technical control; an insider is one person with a badge and a login. Risk has merged into a single surface, but accountability for it is split across a cyber chief, a physical-security head, and a general counsel, and in most family offices no one owns it at all. This brief argues the binding constraint is no longer spend or tooling. It is ownership.
Read the full PMR (PDF) →Durable read · Update on a material change in security-leadership, board-governance, or family-office risk-ownership data
Key Judgments
Six judgments anchor this assessment. Each is tied to cited evidence in the body of the brief and carries an explicit confidence level. The four below are the load-bearing four.
- High confidence. Risk has converged into one surface but organizations have not: formal physical-cyber convergence sits near its 2019 baseline of about 24 percent, even as 73 percent of organizations suffered an intrusion affecting operational technology in 2024.
- High confidence. Regulation and case law made security a board and personal matter, the 2023 SEC rules and a security chief criminally convicted over a breach, yet about 79 percent of the S&P 500 park it in the audit committee and only around 4 percent of directors feel able to oversee it.
- High confidence. The exposure is most concentrated and least owned in family offices: 43 percent suffered a cyberattack and 63 percent carry no cyber insurance, while only a minority have any formal risk leadership.
- Moderate confidence. The market is answering with a single-owner seat, the converged Chief Security Officer or Chief Risk and Resilience Officer, and a fast-growing integrated-risk advisory industry, but adoption lags the threat and competes with AI for attention.