Our US correspondent attended last week”s FWR Family Office Cybersecurity Forum in New York, hearing experts discuss the state of cybersecurity, new attack vectors and more positively, what can be and is being done to thwart bad actors.
Cyberattacks are becoming more frequent and sophisticated and
family offices are increasingly vulnerable. But there’s also good
news when it comes to cybersecurity: cyber insurance is becoming
more competitive and less expensive.
Cyber criminals are able to deploy the vast amount of data that
is already public on LinkedIn, Facebook, Instagram and other
social media platforms, in addition to using Zoom calls as a
starting point for an attack, according to speakers at the annual
Family Office Cybersecurity Forum presented by Family
Wealth Report and hosted by BNY.
“Everyone’s information is out there,” Mykolus Rambus, CEO of
Hush, a digital protection firm, said. “It’s an open book.
Cyberattacks begin with reconnaissance and criminals are looking
for points of leverage.” What’s more, the reconnaissance is
nearly free, detection is slow and “the cost to attack is tiny
versus the cost to defend,” Scott Fogarty, CEO Ridgeback
Network Defense. “And the risk of prosecution is near zero.”
To make matters worse, artificial intelligence has introduced “an
entirely new attack surface” for cyber criminals, said Waren
Finkel, managing director, Northeast, for Omega Systems, citing
deepfake impersonation attempts and AI-generated phishing
campaigns.
Family offices “uniquely exposed”
Attackers use “target maps” to “search for the softest entry
point” on personal and professional applications, Charlotte
Evans, vice president of operations for Cyberwolf, said.
The result hasn’t been good for family offices. Nearly half of
family offices in the US were victims of cyberattacks last year
and just 60 per cent are confident that their employees can
detect and prevent AI-powered cyberattacks.
Indeed, family offices are “uniquely exposed” to cyberattacks,
thanks to a culture of informal approvals, personal assistants,
speed over process and a multi-generational structure, Vishal
Chawla, CEO of Blue Ocean Cyber,
said.
Catching an insurance break
But family offices are catching at least one break: because the
demand for cyber theft and disruption insurance is so high, more
insurance companies, including Chubb, AIG and CNA Insurance are
entering the market, making it more competitive and lowering
prices, according to Seth Spreadbury, national family office
practice leader and vice president at Marsh McLennan
Agency.
“The market is expanding and more companies are getting into it,”
Spreadbury said. “Insurance companies prefer you [to] pay less
premiums than have to pay out a lot later. Family offices should
shop around.”
“Expanded risk landscape”
Nonetheless, family offices face plenty of challenges going
forward.
Artificial intelligence has “expanded the risk landscape” from
cybersecurity to data privacy to “emergent risks for generative
AI,” including bias, hallucinations, data poisoning and opaque
decisions, Murali Nadarajah, global head of R&D and AI for
Eton
Solutions, said.
Family offices need “a new paradigm of detection” with an
emphasis on “preemptive security,” Fogarty said. All the more so,
because hackers can now stay in a system for 100 days or more,
said Blue Ocean’s Chawla.
Improvement checklist
So what should family offices do to improve cybersecurity?
— Establish approved enterprise AI platforms, Omega
Systems urged. Create formal acceptable use policies and classify
what data can and cannot be shared with AI tools. Require human
review for all AI-generated outputs.
— Make sure cybersecurity vendors are subject to
comprehensive due diligence and be wary of vendor overclaims such
as “complete endpoint protection,” “controls all network access,”
and “stops data loss,” Fogarty said.
— Upgrade default security settings, said Josh Bartlett,
senior account executive for Cyberwolf.
— Build a culture of verification. “Cybersecurity isn’t
about technology, it’s about trust, verification and resilience,”
said Aruna Rawat, chief information security officer for Pure
Insurance. Verify via a second channel, use code words, slow down
urgent requests and run quarterly drills.
— Have a check list that includes a written incident
response plan, your bank’s direct fraud line, a pre-designated
outside counsel, insurer notification protocol and a post
incident communication plan, BlueOcean recommended.
— Review your cybersecurity insurance policy, said Rawat.
What it covers may not be enough.
— Stay away from free AI accounts and don’t use personal
AI accounts for work projects, said Farr Shepard, president of
Decypher Technologies. And when using AI, “if you don’t want to
see what your entered on the front page of a newspaper, don’t put
it in AI,” warned Annette Garcia-Acosta, Decypher’s
director of communications.
— Don’t use passwords for security access. “They don’t
work,” said Gary Belvin, chief information security officer for
GDB Security. Use apps like passkeys, Touch ID or Windows Hello
for Business instead.
— Make sure there is always human oversight. Around 60 per
cent of family office cyberattacks are caused by human error,
according to BlackCloak. “The problem with cybersecurity is not
technology,” said Spreadbury. “It’s people using technology.”
