As any person operating in the digital world will know, you open yourself up to vulnerability, simply by opening an internet browser. But for family offices, this risk is even more pernicious and cybersecurity attacks are increasingly on the rise. As Boston Private points out, ‘Over a quarter (26%) of family offices have suffered a cyberattack. In almost two-thirds of these cases, it happened within the last 12 months.’ As the discussion around the importance of daily offices digitising their operations picks up pace, if ever there was a time for family offices to get serious about their digital security, it’s now.
What are the common cybersecurity risks family offices should be aware of?
Like any cyber attacks, the biggest threats posed to family offices aren’t that different from those experienced by the rest of the world. The difference, however, comes in what is at stake for family offices. “Family offices should be acutely aware of several key cybersecurity risks. This includes phishing and ransomware attacks, data breaches, insider threats, and third-party risks, all of which can lead to significant financial and reputational damage,” says Eton Solutions CIO Muralidhran Nadarajah. “The emergence of generative AI has introduced new threat vectors, with hackers now capable of creating sophisticated deep fakes and phishing/vishing attacks using analyzed voice, video, email, and social media data.
The need for heightened vigilance is paramount in this new era of threats, especially as many of these sophisticated attacks are orchestrated by state actors.” Naturally, the biggest concern for family offices is financial, due to the level of wealth they’re dealing with, but this isn’t the only they’re at risk of losing. “Sophisticated modern cyberattacks today will almost always have a physical-world component. In the case of family offices, this can be deep research or intel that the attackers obtained or compiled, which will bring the quality of their phishing attack or social engineering to the next level,” says Tobias Jaeger, Founder & CEO of Falcone International. “A family office is often run by a small group with a lot of power and doesn’t necessarily follow the same decision-making routes and operational rules as an investment firm with similar AUM (assets under management). This makes it easier for attackers to shortcut certain actions that these individuals would never do otherwise.”
The reality is that social engineering is often where attacks start and not necessarily highly technical hacking or exploits.
What should family offices know about cybersecurity?
The reality of knowing that your family office could be so vulnerable is a pretty grim one, but fortunately for family offices, they’re in a slightly better position than most to protect themselves. Eton’s Muralidhran Nadarajah notes that “large single family offices have the resources to create dedicated security departments and infrastructure for effective data protection.”
So, what are some ways they can protect themselves? According to Tony Gebely CEO of Annapurna, tackling family office cybersecurity isn’t one-dimensional and should be approached internally, as well as externally. “Cybersecurity is not a “technology problem,” it is a multifaceted challenge that extends far beyond the realm of technology,” he says, and trying to resolve it alone isn’t the way to go. “Employing best practices will bolster efforts to some extent, but this is a very risky approach. Utilizing a third-party expert to identify and prioritize risks within the family system is the best approach to achieving cyber resilience.”
Concierge Cyber, CEO Kurtis Suhs echoes this, and adds the priority to audit processes should be on par with auditing people and technology. “Family offices need to address people, processes and technology. People: Does the family office require security awareness training for all employees? Processes: Does the family office network have a Written Information Security Plan (WISP) that addresses policies such as email security, mobile devices, business continuity, disaster recovery, physical security, and incident response? Technology: Does the family office utilize multi-factor authentication and endpoint protection?”
The bottom line is, there is no silver bullet when it comes to cyber protection and in the same way a family office would default to external expertise when engaging in an unfamiliar asset class, they should consider the same here. Annapurna’s Tony Gebely advises family offices to understand what they seek to gain by investing in cybersecurity, but ultimately, this cost would be lower than dealing with a breach. Falcone’s Tobias Jaeger seconds this, “The cost of fixing a problem can easily be a factor of 100x compared to an investment into measures that would have prevented the issue in the first place.”
How can family offices protect themselves against cyber-attacks? What are some of the tools available to them?
Before launching any process updates, Concierge Cyber’s Kurtis Suhs suggests starting with a vulnerability test. “This would include an external scan of their network for outsider threats and an internal scan for insider threats. Any discovered high vulnerabilities should immediately be remediated and medium threats should be addressed within 30 days.”
From there, he says the entire organization must embrace a protective mindset. “Cybersecurity risk management involves the entire C-Suite. For example, Legal should evaluate third-party contracts, particularly those vendors that maintain PII, with respect to mutual indemnity and hold harmless provisions,” says Suhs. “The CFO should ensure the family office has a call back requirement with their financial institutions. The Chief Security Officer should implement multi-factor authentication, endpoint protection and oversee vulnerability testing. The Facilities Manager should ensure that the family office has physical security to protect tangible assets. And most importantly, the family office should have a cyber incident response plan and annually test that plan to ensure business continuity,” he continues.
And even once a strategy has been put in place, it will only succeed with constant monitoring and status updates. Eton’s Nadarajah says “Implementing security measures, continuous staff training, consistent system monitoring, crafting incident response plans, conducting third-party assessments, backing up data, and enforcing multi-factor authentication are all vital practices for robust cybersecurity. An essential addition to these practices is a regular audit of the family office’s security posture and a vulnerability assessment by a recognized external party. This process instils confidence in the sufficiency of the security framework in place.” The work concerning family offices’ cybersecurity is not a once-off task. It is a constantly evolving process due to the ever-changing threat landscape.
In short, the more that family offices think about embracing tech, the more they will have to grapple with increasing cybersecurity risks that can result in significant financial and reputational damage. To protect themselves, family offices should prioritize digital security and employ best practices but most crucially seek external expertise. A two-factor approach that combines internal and external audits and processes is advised for long-term safeguarding.
By investing in cybersecurity measures, family offices can mitigate risks and avoid costly breaches, but this won’t succeed without also conducting vulnerability tests, implementing protective measures, and continuously monitoring the organization’s security framework.
Follow me on Twitter or LinkedIn. Check out my website.