Cyber security threats are increasingly targeting family offices. We recommend a systematic approach to mitigating the ongoing threats to family wealth and privacy.
When asked why he robbed banks, a prolific thief of the Great Depression era famously replied:
because that’s where the money is.
While their raids are far more sophisticated, today’s cyber criminals often apply a similar principle.
Family offices – which typically manage hundreds of millions of dollars or more – thus represent an obvious target for their nefarious schemes.
Whereas the methods involved in a physical hold-up have changed little in generations, the threats from cyber criminals are constantly evolving.
What is more, their opportunities for forcing digital entry are abundant.
Transmitting insecure data
Family office personnel are typically now expected to be within digital reach of the families they serve 24/7.
Both they and indeed the families they serve may transmit potentially important data in an insecure fashion multiple times each day.
Emails, text messages, social media posts, search engine histories, friend lists, photos, location details and device usage are just some of what they routinely share without a second thought.
The information contained in them – whether alone or combined – may help a cybercriminal to launch an attack on a family or their family office.
Significant financial losses, disruption to operations and the public disclosure of personal or business secrets are among the potential negative consequences.
So, what can family offices do to help protect themselves and the families they serve?
We recommend that they establish a comprehensive information security program that is geared to adapt to new threats.
Such a framework should be based on the three security pillars of people, processes and technology.
People are often the weakest link in the information security chain.
Their awareness of threats and ways to guard against them can be highly variable.
A family office can therefore seek to increase education and awareness among both its personnel and family members.
Beyond that, though, we advise a regularly updated cyber security policy that incorporates measures for preventing cyberattacks and an action plan for if a breach occurs.
Processes and technology
As for processes, family offices should consider working with internal or external partners to test awareness of their cyber security policies regularly.
Due diligence performed on cyber security protocols for family members ought to be extended to staff, vendors and suppliers.
Shutdown protocols in the event of the initial discovery of a cyber intrusion should exist, with an efficient alert mechanism for the entire office.
The technology infrastructure must be robust and secure with the latest updates and operating software.
Family offices might also consider installing back-up IT infrastructure should the primary framework be crippled or compromised.
Avoid putting your data at risk
Of course, the best way to prevent attacks is by anticipating where breaches may come from, securing communications and exercising caution when using personal devices.
Some straightforward measures could go a long way in mitigating threats. These include:
- Accessing corporate data by only using security tools implemented by the family office
- Avoiding free public Wi-Fi networks (if unavoidable, consider using a commercially available virtual private network [VPN] solution)
- Exercising caution when clicking on any links or opening attachments
- Exercising caution and common sense when sharing information across social media, geotags, app records and behavioral trackers in cyberspace
- Tightening security on social media profiles and deactivating dormant profiles
- Unsubscribing from mailing lists
- Removing address details and other personal information from the public domain
- Having an up-to-date browser and regularly clearing browser information
Still, even the best laid plans can go awry.
Despite every effort to prevent them, breaches can happen nonetheless.
If they do, cyber insurance offers another potential line of defense.
A cyber insurance policy covers losses relating to damage or loss of information from IT systems and networks, with the initial cover being put in place following an underwriting process.
Of course, insurance at its core is a risk management tool.
But alongside protection, the insurance process also offers family offices an opportunity to audit, evaluate gaps and build customized solutions.
Actuarial data for cyber insurance is in its infancy compared to more established lines.
However, underwriting practices are improving as the size of the market grows, threats expand and the attack data sets are analyzed.
Going through an underwriting process with an insurance broker and carrier can also provide family offices with a better understanding of the current state of cyber security issues and how they measure up compared to peers.
The criminals of this world will likely always be with us, reinventing themselves and their techniques with the times.
But by being aware, planning and taking precautions, family offices, families and many others can reduce their risks of falling victim.