In this article:
- Risk: Data Storage and Exchange of Sensitive Information
- Recommendation: Network Security (Human and Digital)
- Risk: Lack of Visibility Leads to Compromised Information and Systems
- Recommendation: Monitor and Report through a Security and Operations Center
- Risk: Numerous Properties’ and Entities’ Technology to Manage
- Recommendation: Transparent Integration of Home, Office, and Personal Tech Infrastructure
- Risk: Lax in Multi-Factor Authentication Methods & Password Management Protocols
- Recommendation: Limited Access and Multi-Factor Authentication
- Trends Influencing Cybercrimes against the High-Net-Worth Community
- Key Cybersecurity Questions for High-Net-Worth Individuals and Family Offices
It may come as no surprise that the risk for cybercrimes continues to grow. Nonetheless, a number of contributing factors in today’s environment—from increased remote work to organizations maturing their security infrastructure—has further amplified the risk for individuals and family offices.
The overall security of high-net worth families can appear to be an afterthought, with technology solutions and services reactively pieced together over time in response to emerging needs. In fact, approximately 32% of family offices do not have a dedicated cybersecurity policy or plan in place1. As such, 30% feel “insufficiently prepared” to protect themselves from a cyber attack1.
These numbers are despite indications by global family offices in a 2020 survey, illustrating that 96% of those surveyed have experienced at least one cyberattack and 37% of North American family offices experienced one or more cyber attacks in the last twelve months alone2,1.
Offering some source of comfort, 31% of younger-generation individuals plan to prioritize cybersecurity, indicating that it’s essential when stepping into command of the family office or family business3. Cybersecurity was the second-ranked topic amongst the surveyed group (falling only slightly behind business strategy at 34%)3.
As both the reliance on technology, and the complexity and frequency of threats facing high-net-worth individuals and family offices evolve, understanding the risks and solutions associated with cybercrime, fraud, privacy violations, and technology requires a holistic approach.
Family security is a singular initiative, with many contributing components. Geller’s multifaceted approach, and unique perspective as a virtual family office with an enterprise-level information security program, has allowed us to identify a number of risks unique to families of considerable wealth. This article outlines real-world examples of these potential areas of weakness with recommendations for how they can be addressed so that individuals and family offices are better able to plan for the security of their family and, in turn, their legacy.
Risk: Data Storage and Exchange of Sensitive Information
High-net-worth individuals and their family offices often have a number of independent parties exchanging data within their inner circles. These communications often come without effective protocols and processes around how sensitive data is exchanged, creating exponential risks that are difficult to mitigate in a meaningful way.
In addition, some independent parties that work with individuals and family offices may have weaker security protocols due to their smaller size. From cellphones to tablets, to personal computers and hard drives, sensitive materials are consistently being shared and, if not protected, are vulnerable to compromise.
Recommendation: Network Security (Human and Digital)
The first step for mitigating this risk is to identify and document who the key counterparties exchanging information are, as well as what type of information/data is moved between them. These should be viewed as dynamic documents in order to reflect life changes and needs.
Once the involved parties are identified, a secure exchange medium should be agreed upon and leveraged for all communications. Examples of this technology include secure document sharing sites and encrypted email platforms. The process of information exchange should also include multi-layer approvals and verbal authorizations, where appropriate, to mitigate the risk of fraudulent money or physical asset movement.
It is important to remember that your security is only as strong as your weakest link. As such, it is wise to conduct a third party risk assessment, in which consulted experts identify any data and technology risks, cybersecurity concerns, and regulatory and privacy requirements specific to third parties.
Risk: Lack of Visibility Leads to Compromised Information and Systems
There is a considerable lack of visibility by high-net-worth individuals, their families, or heads of family offices into the unauthorized access or compromise of their information, systems, devices, and accounts.
This is often due to the number of trusted individuals working for or with wealthy individuals and the lack of systems or policies in place to govern information access, making it extremely challenging to gain greater insight into when a potential breach has occurred. An undiscovered breach can provide cyber criminals with a window to observe technology patterns and use, allowing them to time their cyber-attack for maximum impact.
Family offices may be less likely to update software, but updates often tackle security faults, and a failure to update software regularly can open the door to bad actors.
Recommendation: Monitor and Report through a Security and Operations Center
Ensuring transparency through active monitoring and reporting across not only financial accounts—but across all possible technology assets within an individual or family’s life—is essential to alleviate this issue and increase trust and peace of mind.
One method for creating this level of transparency is through the implementation of a Security Operations Center, where monitoring of key alerts and events can be triaged and escalated accordingly. A Security Operations Center can also provide threat intelligence specific to where a family is traveling to, industries or sectors they invest and work in, and general vulnerability data that may be of interest to provide clarity and security.
Risk: Numerous Properties’ and Entities’ Technology to Manage
There are likely many properties and entities that must be managed and integrated to create security synergy between a high-net-worth individual, their family office, and third party providers.
We continue to learn that the technology support often employed for these properties and entities does not keep security top of mind, and in turn lacks the training and expertise required to ensure individual technologies are secured through formal risk assessments, monitoring, and auditing. As a result, there is little to no integration between the technology and the family’s lives and workflows.
The increase in remote access to retrieve private information has further complicated this issue by creating gaps that can be exploited by unauthorized individuals or hackers. Data encryption and protection has never been more important and hackers on the dark web have never been more sophisticated.
Recommendation: Transparent Integration of Home, Office, and Personal Tech Infrastructure
It is of upmost importance to identify a third party partner who understands the unique risks facing individuals and families of wealth, and who has the capabilities required to offer the assurance and transparency needed to truly integrate the family member’s lives and family office’s operations.
Once a partner is identified, the next steps would be to build out not just a support model, but a more secure architecture for both the family’s home(s) and family office. It is essential that all technologies are incorporated for seamless use, and that there is security synergy wherever the family members or family office staff may travel. For example, a major gap would be creating great security at a primary residence, but having poor security posture at a vacation home or family member’s residence.
The right technology can help a family and their family office strike a balance between trust and transparency. Audit trails and notifications regarding access to accounts and office/home infrastructure serves as a great way to help ease the feeling of not knowing what’s going on when a family member can’t physically “see” what is happening.
Risk: Lax in Multi-Factor Authentication Methods & Password Management Protocols
Password management, or password complexity, has historically been a pain point for individuals and enterprises alike. However, we are beginning to see corporations adopt more complex password requirements and password management applications, leading to improved password hygiene in the enterprise space.
In contrast, we continue to see gaps in the adoption of password management best practices with family offices and high-net-worth individuals. The desire for information to be easily accessible to a number of trusted personnel tends to drive the hesitancy to adopt better habits.
When a number of people have access to an individual’s passwords, the result is often outsized access and misalignment to the security principle of least privilege. It is quite common to see employees with outsized access to information because of the lean staffing nature of most family offices. This risk can also lead to a lapse in multi-factor authentication across sensitive accounts, as well as weaknesses in financial and physical asset controls.
Recommendation: Limited Access and Multi-Factor Authentication
Purposeful culture and change management is the primary solution in this scenario. We recommend that individuals review who should be granted access to their information, ensuring this access is on an as-needed basis and frequently reviewed for continued relevancy. Related to this, individuals should also consider whether, in order to better protect their and their family’s assets, they may need to sacrifice a certain level of convenience.
As improved password management applications come to market, the tradeoff for better security may only become a few additional seconds logging in to a digital device, platform, or application. Family members and trusted staff can be a good starting point to help drive better password management practices among high-net-worth individuals, including speaking to the ease of use of these applications.
Family offices also have the option to explore an enterprise-level password management platform.
These platforms are not only a great source for securing passwords, but can also help with the following:
- Sending reminders to change passwords frequently
- Requiring multi-level approval before credentials can be accessed
- Maintaining a comprehensive audit trail for better transparency into information access
Trends Influencing Cybercrimes against the High-Net-Worth Community
As the complexity of an individual’s or family’s life increases, the threat landscape grows.
Increased Use of Social Media and Technology
Threats include inadvertently displaying location or specialized assets through social posts, to surges in ransomware, phishing, and extortion scams.
Number of Staff with Access to Personal Data
As the number of individuals within a personal circle with access to passwords and security systems increases, the need for greater internal and security controls expands.
Increases in Net Worth
Increases in wealth, status, or reputation can make individuals more susceptible to extortion threats or hackers – especially as families and individuals may not have advanced security systems in place, making them an attractive target.
Multiple Entities
Home and business technologies can actually expand the potential attack surface, as a unique level of security expertise is required provide the proper protection. In some cases, there may be no formal monitoring or auditing in place for access management and critical systems within an entity.
Remote Work
The major shift to remote work is here to stay, for many. This is happening at a time when corporate organizations are getting smarter and maturing their security infrastructure, making individuals’ and family offices’ servers a softer target.
Key Cybersecurity Questions for High-Net-Worth Individuals and Family Offices
A high-net-worth individual, family, or family office can ask themselves the following questions to begin to determine the state of their security infrastructure, cyber risk landscape, and potential needs.
- Do you view privacy and security as a top concern?
- Are members of your family frequent users of technology or digital platforms?
- Is there a potential lack of visibility into family member, staff, or third party use of technology, or access and exchange of private data?
- Have you been victim to a cybercrime? (e.g., ransomware, email or social media hack, break-in)
- Do you have some form of a cybersecurity plan in place?
- Do you have IT staff in your home, additional properties, and offices? If not, do you use a third party to manage technology and security support? Has security been an area of focus in the system architecture and processes?
- Are you working from home more often—or out of a new home or location, which could potentially increase security risks?
- Is there a large number of staff, third parties, friends, or family members in your personal circle who have access to your passwords or personal information?