As cybercrime levels continue to increase, family offices and the families they represent can offer tempting targets for criminals. What are the most common types of attack, on what scale, and how can you safeguard your family office and protect wealth?
“A combination of money, investments and sensitive data make wealthy individuals, families and family offices a prime target for cyber criminals,” says Russell Prior, Head of Family Governance and Family Office Advisory, HSBC Global Private Banking. Research carried out by Campden in partnership with Schillings, found that 28% of ultra high net worth international families, family offices and family businesses have experienced an attack1. And the risks for family offices are multiplying in step with our increasing reliance on devices and the growing use of remote information exchange.
A growing threat
With the risk/reward profile firmly in favour of the cybercriminal, attacks generally follow two main lines: hacks and scams. A hack will see the cybercriminal try to gain access to a protected system in order to control, manipulate or steal data. Attacks often rely on an individual clicking a link to allow the download of malware (malicious software).
The high-profile ransomware attack on New York law firm, Grubman Shire Meiselas and Sacks, is a good example of an attack initiated by hacking. Recognition of the firm’s roster of A-list clients, saw the criminals double the original USD21m ransom demand as they threatened to leak sensitive data. The firm declined to pay the ransom and, although some data was subsequently recovered, other data remains at large. And the threat is growing. According to Interpol, criminals are increasingly exploiting fears, remote device locations and lax security protocols born out of the COVID-19 pandemic to target individuals with malicious links. Around 48,000 malicious URLs were detected in a four-month period to April 20202.
Scams, on the other hand, tend to use information that’s readily available or easily harvested using social engineering. This works by criminals monitoring social accounts, cold calling targets or hacking into a business’ database to gather client details, and using them to try to trick data or cash out of people or companies. Social engineering was recently used to defraud a UK family office out of £6m through a fraudulent art purchase, by tricking the victim into emailing funds to the criminal’s bank account instead of the seller’s3.
The vulnerabilities that exist in family offices
As we live more of our lives and conduct more of our business online, the threat increases. For family offices, new vulnerabilities are created through employees working from home using potentially insecure Wi-Fi networks or devices, and new systems to share files or collaborate remotely, combined with the sheer pace of change. The Campden research highlights that over a third of those surveyed had no cybersecurity plan in place4, which simply compounds existing risks.
These include family members sharing personal information on social networks – which criminals can use to make their attacks more plausible – but also the risk of information concentration. This can occur in small family offices where system access, sensitive data and even passwords allowing authentication are held by a single individual. The risk to the family office should that individual be compromised is potentially huge.
The need to respond
So why then, if the risks are so high and the potential losses so significant, aren’t family offices doing more to protect themselves? Robert Stover Jr of EY, speculates that fewer regulatory requirements for family offices when it comes to security, particularly compared to those required for registered financial firms, could be a factor5.
“The Financial Conduct Authority certainly expects high standards of operational resilience from regulated firms, and rigorous cybersecurity is part of that,” says Russell. “But the lack of action could also be due to lack of awareness or a sense that this isn’t a priority, which is why we’re keen to have these conversations with family offices and the clients they represent.”
Protecting the family office
Creating a robust cyber-security system means tackling both the human element and the technology side, employing tried, trusted and verified processes and software and educating employees about the threats and how to identify them. The FBI has created guidance on how to prepare, protect and respond to threats, including ransomware6. Both personally and professionally, there are a number of tools and procedures that can help mitigate risk:
- Keep all computer software and devices updated
- Use secure connections to transmit all information
- Communicate important financial information such as sort codes and account numbers by phone, and avoid public wi-fi and even public places if doing so over mobile phone
- Consider using an encrypted email system or a password manager. Use two-step verification whenever it's available
- Make sure any smart devices are password protected and also have two-step verification enabled
In addition, there are several tactics that family offices and their clients can introduce to support the security systems in place to protect them. The first step is to be prepared:
- Staff should have ongoing training on new and existing threats as well as how to prevent and detect them
- Passwords should be strong and backed up by multifactor authentication. Firms should also employ administrator rights to ensure that data is only available to people who need to access it
- All family offices should test their IT environment for weaknesses and use in-house or outsourced monitoring to detect any unusual behaviour. A security specialist can be an extremely useful advisor
- Back-up to a secure, independent network. In the event that data is held to ransom with the threat of deletion or corruption or denial of service, your data can be restored and used to maintain operations
While firewalls and antivirus software are important, robust processes are also essential to ensure the family office is as protected as possible.
- Thoroughly scrutinise investment opportunities, offers of tax rebates, and official-looking emails that talk about government relief programmes. Where possible, try not to follow links in emails or texts, and visit the website directly through a browser search
- Family offices should be sure that they have up-to-date contact information for all clients. Consider using a password for future checks or updates to verify authenticity
- Always independently verify bank account details. For example, directly call the client to verify an emailed change, using the number on file, not the number in the email. If in doubt, ask to transfer or be transferred a nominal amount – less than a dollar – to ensure it reaches the right account
When it comes to maintaining privacy and protecting your personal information, there are a few steps that you can take.
- Ensure social media accounts are set to the highest privacy settings and choose those with built in encryption
- Consider using a pseudonym rather than your actual name when posting on forums or social media
- Think twice before posting – what information are you allowing access to, even a photo can show location information or enable geolocation
- Optimise software or device security, for example, by changing the local region on your mobile phone or deleting cookies after a browsing session ends
- Educate all family members on the potential dangers and security risks
- Ensure any electronic data you delete is removed securely and can’t be retrieved
A combination of money, investments and sensitive data make wealthy individuals, families and family offices a prime target for cyber criminals, - Russell Prior, Head of Family Governance and Family Enterprise Succession, HSBC Global Private Banking.
1 http://www.campdenwealth.com/article/more-quarter-uhnw-families-targeted-cyber-attack ↩
2 https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19 ↩
3 https://www.ft.com/content/cdfe8d97-6431-48e2-a8a7-7d760c6e9ed6 ↩
4 http://www.campdenwealth.com/article/more-quarter-uhnw-families-targeted-cyber-attack ↩
6 https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view ↩