It’s no longer just the risk of IT systems being comprised from outside — though that risk remains high. Companies must also address internal exposures and sophisticated, AI-based social engineering attacks. BPM Advisory Director Kris Marney, who has 20+ years of experience in accounting leadership and co-leads our Family Office Services practice, is joined by BPM Partner Fred Rica, an authority on cybersecurity, to discuss cyber strategy for family offices.
Consider the following scenario… You’re out of the country. An assistant at your family office receives a voicemail with instructions to wire $225,000 to a registered bank. A text follows from your mobile number with SWIFT code instructions and account numbers. Within minutes, the assistant receives a scripted email from an account that looks like yours, saying you need the transfer sent quickly to complete an art purchase but don’t have secure access while traveling.
The voicemail sounds like you. The email reads the way you write. Both appear to be from your accounts, and your assistant knows you collect art. The transfer amount is sizeable, but below the threshold of many family members’ elective outlays. All seems logical and above board. But you’re on a plane — incommunicado.
What would your assistant do? Effect the transfer?
Sound implausible? Profiling allows bad actors to build detailed profiles of you and your family based on your social media posts and publicly available information. Then, they leverage AI and voice software to impersonate key officers or family members.
Cybersecurity has become a necessity for family offices as cybercrimes have proliferated to an unheralded extent. Phishing attempts look increasingly authentic, with well-crafted copy and careful imitations of company logos, colors and typography. Some can appear as if they’re from your own management or include an authentic hijacked email string, and malicious links take people to websites masquerading as real.
Family offices are a prime target for cyber criminals
Cyber risk has topped the corporate risk management agenda for more than a decade. Such focus would lead one to believe that family offices are handling cyber risk. In our experience, that is not the case. An ultra-high-net-worth family office is a target. Lacking the infrastructure, resources and technical skills that banks or corporations must address proliferating cybercrime, even a larger family office can lag developments in cybersecurity that would help them to counter prevailing risks.
Risks include the growing number of external ransomware attacks — to which many succumb. Refusing on principle to pay a ransom, they have no game plan to respond within the stipulated timeframe. With no backup plan and no expertise in response, they lose key data. Even if they do pay, many receive no data back at all.
Other cyber risks include operations with employees who essentially have the keys to the kingdom, with login access to bank and brokerage accounts for the family’s many business interests, as well as credit card and personal spending accounts. And never discount the risk of a distracted employee making an instinctive choice — a bad choice — in responding to a request in an unverified random email.
Four essential pillars of family office cybersecurity
It’s vital that your family office has a robust cybersecurity and awareness plan along with tools to comprehensively address risks. Your cybersecurity strategy must rely either on in-house IT or external consultants. To get started on the right track, ensure that your family office’s cybersecurity plan has four principal vectors:
- Develop internal controls to address perceived risks. Identify areas of the most critical risk and ensure cybersecurity procedures are in place to address them. Examples include a policy for verifying money transfer instructions and dual approval for the release of funds, or one ensuring data is encrypted when sent “in the clear.”
- Educate and train employees on forms of cybercrime and other risks. Security breaches often occur due to unwitting mistakes by employees in the organization. Mistakes stem not only from phishing or spoofing but also logging into unsecured networks while traveling, using a free wireless hotspot or charging from a free charging point. Patches and updates should always be kept current.
- Limit access to data across functions and/or examine account access protocols. As a family office grows organically and executes its multiple business and philanthropic ventures, it is vital that only a limited number of authorized users have access to specific accounts. Other cybersecurity provisions include requiring strong passwords with multi-factor authentication to organization devices, login time-out provisions and limitations on access to sensitive data via assigned internal control roles.
- Develop a readiness response plan. You cannot eliminate all cyber risks. You can, however, be prepared for what could happen. This means having a business continuity plan and playbook for responding to issues like data breaches or ransomware. These are vital when you have to act fast to protect the family.
How is your family office protecting itself from cyber threats?
Cyber risks are constantly morphing — and artificial intelligence raises the bar. The best roadblocks to cybercrime combine aggregated data analysis tools that allow management to continuously monitor and address emerging risks, and an educated workforce. Employees must be attuned to their responsibilities and capable of exercising good judgment — and know who to turn to if they accidentally “click.”
As the risk of attacks increases, family offices must continually invest in updates and new protocols for their cybersecurity plan. A rigorous assessment of vulnerabilities and risk measures in place sets a baseline from which you can establish your most pressing exposures. You can augment existing controls and critically examine your incident response, ransomware readiness playbook and business continuity plans.
Criminals know where the money is. They know where the holes are and how to exploit them. And the target is you. When a threat arises, do you know how to respond? Are you doing all you can?
For more information on cybersecurity and how to protect yourself, contact us.