By definition, family offices exist to manage the finances and other interests of small groups of people who are often prominent and extremely wealthy.
Meeting those objectives requires a family office to hold and transact business involving highly sensitive information about family members, their finances and their venture partners. The same technology on family offices and their clients depend on to communicate instantly and globally makes them compelling targets of criminals worldwide. Protecting client families from financial loss and harm requires family offices to be hands-on about matters their clients may have never taken into account.
Kinds of Cyber Attacks
- Client Impersonation. Criminals can learn a great deal about high-net-worth individuals from Internet research, public social media and ruse requests to “friend” victims. This reconnaissance enables phishing attacks against those individuals, using embedded malicious links. Successful phishing can in turn result in the attackers taking over and draining the individuals’ online financial accounts, fraudulently obtaining new credit in the victims’ names or sending spoofed—but realistic—asset transfer requests to the victims’ family offices.
- Family Office Impersonation. Criminals worldwide have perfected impersonating businesses online to fool others to invest in bogus deals or to sell and ship merchandise (anywhere) without paying upfront. The reach of this fraud has expanded as hackers have become increasingly adept at acquiring sensitive details using phishing attacks that fool even wary professionals to click on malicious links. Professionals at family offices are potential targets of this scam.
- Ransomware. Ransomware is a form of malware that locks up critical data sets through encryption or shuts down systems until the victim makes an extortion payment. The perpetrator usually requires payment to be delivered by hard-to-trace means, such as Bitcoin, before freeing the hostage data or system. Attacks of this kind have surged over the last several years as criminals have engineered ransomware that’s harder to detect, very difficult to disarm and highly effective at compelling huge extortion payments. Only if an organization has an uninfected duplicate can it avoid the hard choice between complete loss of a critical resource and making such a payoff. Small organizations, including those that developed their workplace systems ad hoc, are less likely to have undertaken that precaution.
- Hacking for Insider Business Advantage. Hackers are leveraging their craft to obtain inside information on investments. It appears that this trend now extends to the public securities markets. Pending federal prosecutions, for example, include a case charging that defendants phished M&A partners at prominent law firms to obtain and trade on undisclosed mergers of Fortune 500 companies. In another case, the defendants are allegedly hacked embargoed public company announcements from a media distributor and traded ahead of the announcements’ release. These developments are only the latest manifestation of a more longstanding trend of online spying for investments or other advantages relating to (legitimate) business ventures.
- Online Crime by Employees. Compensation, status, and personal loyalty are usually enough to make this trust in office management entirely well-placed. The same is almost as often true with respect to lower-level staff. In family offices, as in other organizations, however, the shift to online business has increased the latitude that lower-level employees have over assets managed by the firm—including credit card accounts of family members and card-member benefits. With that shift comes an increased risk of crimes of opportunity including embezzlement and fraud via online accounts.
Defending Against Threats
So, how can leadership of a family office defend against the multitude of technology-borne threats? For starters, leadership must let go of the fallacy that produced this dangerous state of affairs. New technology alone can’t fix this mess we’re in, nor is there a purely technological expert who can guide a business to safety. Thinking otherwise had a lot to do with creating the current morass.
Family offices need to resist the dangerous assumption that cybersecurity is exclusively a technology problem to be delegated to tech employees or, wholly outsourced to third-party providers to fix. Safer risk management requires focus on the people and the business routines that the technology supports and not just the technology alone.
- Retain an Expert Cybersecurity Firm. IT and cybersecurity expertise overlap but aren’t the same thing. People who regularly investigate cyber attacks and ethical attackers, who work daily to spot and close security holes, see more and know more about protecting businesses than IT professionals tasked with maintaining systems in the ordinary course. Moreover, these cybersecurity professionals are practiced in studying and cogently presenting risk in thorough and standardized frameworks. These frameworks in turn can provide family office management with an efficient means to prioritize and budget for mitigation of specific risks uncovered in an initial assessment. Subsequent assessments on at least an annual basis are necessary to combat hackers’ endless adaptability.
- Consider Cyber Insurance Coverage. Hacking puts family offices at risk of being held financially responsible by venture partners if sensitive deal information is stolen. These risks are often further complicated by the expense of hiring a computer forensic expert to determine if or how the online attack occurred. Accordingly, a family office should consider whether insurance coverage is in place or can be obtained at an acceptable price. Close reading of exclusions in longstanding coverage as well as proposed cyber liability policies is often critical. A traditional comprehensive general liability policy may exclude electronic records from coverage of breaches resulting in third-party claims. A cyber liability policy may exclude claims due to theft or loss of a smartphone or laptop computer (unless the insured commits to encrypt all portable devices). Cyber liability policies also may exclude losses due to malware installed (but not activated) before the policy period or resulting from the insured’s failure to use best efforts to patch software with security updates.
- Adopt an Incident Response Plan. Hacking, suspected as well as actual, almost always disrupts operations. Leads indicating theft may remain equivocal for weeks or months. Preventing this fallout—and not wasting time in the midst of an emergency—requires preparation well in advance of an actual incident. It requires a realistic written plan. That plan should pre-assign the family office’s best lay troubleshooters to work on the problem together with IT staff, counsel, an outside security/forensics expert and, in the event of an embarrassing leak, a crisis communications expert. The plan should identify experts who’ve already agreed to respond in crisis, lay out procedures for maintaining normal business operations and communicate with family members and other stakeholders in a timely manner. It should also list a preferred law enforcement contact based on prior outreach, but, that’s not all. The plan must lay out ground rules for a response to a malware attack, including whether payment of the ransom is permitted, who can authorize it, and how payment would be made. The best way to develop such a document is by regularly convening the response group to drill on realistic scenarios—led by counsel, the security expert or both—and by revising the plan accordingly.
- Take a Data Inventory. Also, have the added courage to cut it. Over time, organizations have become information addicts. They consume terabytes of it across many formats and repositories. If an organization is truly serious about reducing the damage from hacking, it needs two forms of courage. The first requires a hard look at what data the organization is actually amassing, how sensitive it is, who creates or has access to it and what rationale (if any) justifies getting more and holding any of it. The second requires management to be even braver—by setting and enforcing criteria to stop staff from creating, sharing and keeping so much sensitive data.
- Identify the Operation’s Crown Jewels. With the surge in ransomware attacks, family offices that have yet to do disaster recovery planning now have a very compelling reason to do so. The organization needs to protect access to all the information that management and family members reasonably expect it to have, including information in its exclusive possession. It’s this latter category of data that constitutes the “crown jewels.” The ability to recover from a ransomware attack (or any similar disaster) depends on copying this data to someplace else safe.
- Implement a Mobile Device and Email Security Program. A family office is uniquely positioned to at least suggest, sometimes mandate and implement minimum security requirements for devices and email services used by family members. These requirements include up-to-date anti-virus, malware detection, defenses to intercept phishing emails and, capabilities for remotely wiping a compromised device. Those employed by the family office should be subject to the same—or stricter—security requirements.
- Assess and Pare Back the Scope of Online Access Granted to Line Staff. Support staff is sometimes given privileges to assist family members or management in transactions such as booking travel and ordering goods. In the hands of a corrupt employee, those privileges can be used to embezzle funds or fraudulently obtain merchandise in the principal’s name. Family office managers should know which staff members have online account access within the organization.
This is an adapted and abbreviated version of the author's original article in the March issue of Trusts & Estates.