In an era where digital advancements have revolutionized the way we manage wealth, cybersecurity has emerged as a critical concern for family offices. The sensitive financial information and substantial assets managed by these entities make them attractive targets for cybercriminals. Not helping is the continuously enlarging public footprint families have either directly (publicity to gain support for either their family business or philanthropic purposes) or indirectly (postings on social media by various members of the family).

As family offices increasingly rely on digital technologies for their operations, the need for robust cybersecurity measures has never been more paramount. The digitization is partly driven by a hyper-mobile and the technological affinity of the clientele. Next to all the advancements that the extensive use of technology brings, it also bears risks that need to be mitigated.

As Muralidhran Nadarajah, Eton Solutions CIO explained: “Family offices should be acutely aware of several key cybersecurity risks. This includes phishing and ransomware attacks, data breaches, insider threats, and third-party risks, all of which can lead to significant financial and reputational damage. The emergence of generative AI has introduced new threat vectors, with hackers now capable of creating sophisticated deep fakes and phishing/vishing attacks using analyzed voice, video, email, and social media data.”

Key Strategies for Enhancing Cybersecurity

The unique structure of family offices, which often involves a high level of confidentiality and interconnected digital systems, requires a tailored approach to cybersecurity. An online survey conducted by Boston Private in 2020 found that 26% of the surveyed family offices have suffered a cyberattack, and almost two-thirds of these cases happened within the last 12 months. The European Family Office Report in 2023 revealed that 11% of European FOs have been victims of a cyber-attack in the past 24 months. The same report found that family offices are not concerned (33%) or unconcerned (15%) about their cybersecurity measures. At the same time, the known number of cyber-attacks has increased by approximately 75% over the past five years, and ransomware costs are forecast to reach US$265 billion by 2031 up from US$20 billion in 2021, found the EY 2023 Global Cybersecurity Leadership Insights Study. The future looks worrying with 75% of Chief Information Security Officers polled believing that AI gives an advantage to attackers over defenders, as reported by Splunk.

Risk Assessment and Management

Conducting regular cybersecurity risk assessments can help identify vulnerabilities within a family office’s digital infrastructure. This involves evaluating existing security measures, identifying potential threats, and prioritizing risks based on their likelihood and impact. According to PwC cybersecurity expert Nick Blaesing, it all starts with understanding what data you are trying to protect, and where that information is within the organization. This was underlined by PwC’s recent Digital Trust Insights study into cyber resilience, which found that 91% of companies with a high resilience quotient (RQ) maintain an accurate inventory of data assets and systems, and refresh this list as needed. Among lower-RQ companies, only 47% do this. Concierge Cyber’s Kurtis Suhs suggests starting any project with a vulnerability test. “This would include an external scan of their network for outsider threats and an internal scan for insider threats. Any discovered high vulnerabilities should immediately be remediated, and medium threats should be addressed within 30 days.”

Employee Training and Awareness

Human error remains a significant vulnerability in cybersecurity. Providing regular training and awareness programs for staff can help mitigate risks associated with phishing scams and other social engineering tactics. Having a Written Information Security Plan (WISP) that addresses policies such as email security, mobile devices, business continuity, disaster recovery, physical security, and incident response is crucial. Kurtis Suhs says the entire organization must embrace a protective mindset. “For example, Legal should evaluate third-party contracts, particularly those vendors that maintain PII, with respect to mutual indemnity and hold harmless provisions.”

Practical Steps to Increase Cybersecurity

  1. Multi-Factor Authentication (MFA): Implementing MFA adds a layer of security by requiring two or more verification methods to gain access to digital resources, significantly reducing the risk of unauthorized access. This will also necessitate mapping digital resources that the family office uses and having all these services secured with a more secure authentication method.
  2. Encryption of Sensitive Data: Encrypting data both at rest and in transit ensures that sensitive information remains secure, even in the event of a breach. Encryption scrambles data into an unreadable format that can only be decrypted with the correct key.
  3. Regular Software Updates and Patch Management: Keeping software and systems up to date is crucial in protecting against known vulnerabilities. Cybercriminals often exploit outdated software to gain unauthorized access to digital networks.
  4. Endpoint management and antivirus software: Ensure that only authorized and appropriately set up hardware can access the company’s network. This includes the mandatory installation of antivirus software.
  5. Backup strategy: Backups are running regularly, and the unalterable backups are stored remotely and encrypted in offsite storage.
  6. VPN: Access to networked resources from outside of the family office’s premises is only possible through VPN (Virtual Private Networks). VPN encrypts the data exchange between a laptop and the family office’s network infrastructure. In addition, it authoritatively identifies a user on a network.
  7. Training: Users are regularly trained, and awareness is increased on cybersecurity threats.
  8. Monitoring and Threat Intelligence: Specialized service providers offer monitoring and automatic threat response. In any case, access and activities on servers and network infrastructure needs to be logged and, most importantly, monitored for unusual activity.

Conclusion

As family offices navigate the complexities of wealth management in the digital age, cybersecurity emerges as a cornerstone of protecting assets and ensuring privacy. By investing in cybersecurity measures, conducting vulnerability tests, implementing protective measures, and continuously monitoring the organization’s security framework, family offices can safeguard their digital infrastructure against the ever-increasing number of cyber threats.