Cybersecurity Within Your Family Office

Cybersecurity statistics show that family offices are at increasingly higher risk for targeted data breaches. According to a recent UBS Global Family Office Report, more than 22% of family offices in North America experienced a cyberattack.

Why are family offices particularly vulnerable to cybercrimes?

Family offices make ideal targets for cyberattack given the significant wealth involved. According to a study done by Campden Wealth & Schillings, family offices are managing almost 50% of ultra-high net worth family wealth. In addition to private wealth management services, family offices often handle the personal affairs of the family. They rely on a smaller staff who have access to large amounts of sensitive personal and financial data. Cyber attackers gain access to this information to commit extortion, fraud and identity theft, as well as attempt to capitalize on the family offices’ finances and reputation, which can threaten the safety of the family themselves.

Despite the risk and the rising number of data breaches, many family offices still underinvest in technology because of the cost and complexity of implementing the software and/or hiring IT professionals, leaving a large population of family offices vulnerable to cybercrime.

Common Cyberattack Targets

Research has shown that the most common way to breach a family office’s cybersecurity is through the people and staff who service the family members. Many of these breaches could be prevented using simple and well-established security practices. These are some of the reasons attackers can easily penetrate a family office:

• not utilizing up-to-date user password and credentialing requirements such as complex passwords and multi-factor authentication;
• using outdated software without the latest security patches and antivirus updates;
• staff sharing access and user credentials (passwords) to an employee-issued device with family and friends, exposing the family office network;
• staff connecting an untested device -- such as a flash drive -- that could be a source of viruses and malware;
• sending unsecure emails; and
• staff logging into public Wi-Fi networks or insecure or outdated Wi-Fi networks when working from home. The COVID-19 pandemic has increased this risk, with a record number of people working remotely.

A large majority of cyberattacks are the result of phishing emails. Phishing is a form of fraud in which attackers disguise themselves as trustworthy entities or persons in an email or other electronic communication. Attackers will commonly use phishing emails to deceive the recipient into downloading malicious software; providing personal information like account numbers or passwords, wiring funds or paying invoices to cyber-criminals. There has also been an increase in ransomware attacks. Ransomware is software that denies victims access to their critical data and system files until the victim pays a ransom, which is often spread through phishing emails containing malicious attachments.

Cyberattacks continue to multiply in number and sophistication which represents a major challenge for family offices. Criminals are targeting people's increased dependence on digital tools and connected devices including phones, tablets, cars and smart home devices. As a result, it is critical for family offices of all sizes to take action to measure, manage and monitor their overall cybersecurity risks, including being prepared to respond to a cyber incident.

How Can Family Offices Defend Against Cybersecurity Attacks?

The fact that many family offices have not prioritized cybersecurity in the past due to cost, complexity, and the belief that they were low-risk only increased their vulnerability to a data breach. Yet studies continue to show an increase in cybercrime, especially against smaller organizations, often with fewer than 500 employees. How can family offices manage and minimize the risk of a data breach and strengthen their cybersecurity defenses? The most effective measure to protect against cyberattacks is proactive risk management. Managing risk through a robust cybersecurity plan and effective policies and training can help avoid a costly cyber breach.

The following are steps family offices can take to protect themselves against the various types of cybercrimes:

1. Prepare a cybersecurity plan to address various types of cyber threats.

Review the types of data a family office collects, how that data is stored, and who has access to it. This will help you determine potential risks, choose technology, and develop policies and procedures to best protect that data.

2. Prepare an incident response plan.

An incident response plan allows you to, in the event of a security incident, quickly use pre-planned procedures to effectively deal with threats. The plan should cover events such as receiving a phishing email or phone call, losing a company-issued device such as laptop or cellphone, network intrusions, and ransomware attacks. The faster a family office can detect and respond to security incidents, the less likely it will incur significant financial losses or breaches of sensitive personal data.

3. Provide cybersecurity training and education to staff and family members.

People are the first layer of defense against cyberattacks. Providing staff and family members with cybersecurity training and education on best practices, policies, and procedures can help family offices avoid data breaches and other cyberattacks that are easily preventable.

4. Perform regular assessments, testing, and monitoring.

Regular vulnerability assessments and penetration testing, as well as 24/7 monitoring, are key components of a robust security plan. Vulnerability scans check for known weaknesses in systems and networks and generate a report on risk exposure. Penetration testing attempts to hack or penetrate systems to check for vulnerabilities. Testing and assessments are often performed by a combination of internally trained IT staff and third-party consultants and vendors.

5. Implement strong security controls and policies.

1. Download and install software updates as they become available.
2. Regularly change passwords and make them complex using a combination of letters, numbers, and symbols.
3. Use email encryption tools.
4. Use two-factor verification.
5. Use VPN to access the family office’s network and maintain a connected device policy covering the use of public Wi-Fi and home routers.
6. Back-up data nightly. This could prove invaluable in a ransomware attack where your data is being held hostage.
7. Limit employee access to data and information.
8. Limit authority to install software to administrators.
9. Require security audit reports from vendors being considered before contracts are signed.
10. Maintain and communicate social media policy for family members.
11. Maintain an inventory of routers, computers, phones, and other devices and ensure that each one has updated antivirus and firewall software.
12. Establish policies and procedures on payment authorizations.
13. Perform background checks on employees and contractors.

6. Consider obtaining a cyber-liability insurance policy.

Cybersecurity insurance could potentially cover losses from data breaches and business interruptions, as well as repairs and recovery from network damage.

In summary, creating and implementing a cybersecurity plan may sound daunting, but it allows a family to take advantage of the benefits of emerging technology while managing the financial and reputational risks. Remember, cybersecurity does not always mean expensive and complex technology. For a family office, education, awareness, and simple security policies are often the easiest and most effective way to protect against cybercrime.