Fame and publicity often accompanies significant wealth. Such attention, whether desired or deflected can also make the family office a potential target for cyber-criminals.
Many family offices handle assets and investments equal to a substantial corporate entity but without the same levels of governance and security. While the corporations that create the wealth for a family are likely to be fortified with firewalls and well-trained employees, the family office might typically operate quite separately in a location more convenient for the principal and without any of the same resources.
A small group of staff can have broad access to sensitive data that would normally be compartmentalised in a larger organisation
Furthermore, it’s usual for family offices to maintain a relatively flat managerial structure with a small number of dedicated staff to reduce operating costs. A small group of staff can have broad access to sensitive data that would normally be compartmentalised in a larger organisation.
Family offices with limited staff, lacking training and with an informal approach to data security are vulnerable to supply chain risks in the storage and transition of their most valuable asset – data.
However, it is not just wealth that makes them vulnerable to a cyber attack or data breach. In addition to investment administration, staff in many family offices are also tasked with concierge functions such as arranging travel and paying invoices which exposes them to phishing attacks. When principals are in different time zones their staff can sometimes be expected to work odd hours and respond to requests as soon as possible. A tension can quickly develop where efficient service takes precedence over effective cybersecurity.
Cybersecurity for a family office is a marriage of personal privacy planning by the principals and data protection auditing by the staff. Malevolent data loss usually begins with an attempt to obtain sensitive information such as a username, password or financial data by fraudulently posing as a known, trustworthy entity in a text or email called a phishing attack.
The plausibility of a phishing attack depends on the quality of the information in the fraudulent text or email. The cost of living in our connected world is counted in the hundreds of seemingly valueless, unconnected pieces of information scattered across social media, geotags, apps and behavioural trackers. This private information can be with public records like Land Registries, Companies House in the UK or the Securities and Exchange Commission in the US.
The simple act of aggregating the disparate pieces of your private jigsaw can produce a very detailed, invasive and valuable picture for those wishing to attack or exploit you.
Auditing all the information about you that is available online allows you to see the connections that could be made and the inferences drawn about your private life that would be used in a cyber attack. Only when a comprehensive overview has been compiled of all the available information about you is it possible to start anticipating the associated risks.
Data protection auditing starts by embracing the matrix of location, staff and assets that the family office has to work with. How many households, offices and other locations such as yachts form the physical network? How many jurisdictions are in play and is data being transferred in or out of European Union states? How many staff service the family office? How many service providers provide support to the family? What platforms and devices do the family use to communicate with each other and their entourage and what level of encryption is used?
How many investment transactions occur in any one month? How many banking relationships does the family have? How many ownership structures include employees? How many assets require active management?
The answers to these questions will describe the life-cycle of data around the family office and, more specifically, what information is being collected, stored and processed by the organisation. The answers will also help determine whether the family office requires the appointment of a Data Protection Officer.
That will be determined by the number of people whose data is being processed and the duration of that processing, the volume and sensitivity of that data and the geographical extent of the principles’ activity. In the event of a breach, there are four stages to effectively manage the process: (1) detection and containment (2) recovery and assessment of ongoing risks (3) notification, and (4) remediation and review.
The first stage of managing a data breach is dominated by the four technical objectives of detection, containment, identification and preservation. Detecting the source and scale of the breach are paramount. Quarantine the breach by isolating the affected systems and minimising the entry points in the system that a cyber-criminal could use to extract data from the system.
This is a precursor to identifying the cause of the breach, its duration and its impact. Finally, it is vital to preserve all the information needed for any subsequent investigation such as server log files and metadata whilst minimising disruption to the running of the office.
The impact of most data breaches is felt across more than one country or jurisdiction. In some territories, it is mandatory to notify the Data Regulator (e.g. The UK’s Information Commissioner’s Office). In some territories, it is mandatory to notify the affected individuals.
There are also likely to be other third parties to whom the breach will have to be notified such as insurers, banks and the Payment Card Industry Security Standards Council. In some jurisdictions, the duty to notify the regulator or affected data subjects is time limited. Family offices based in the EU have only 72 hours from the point of detection to notify their regulator and possibly the affected individuals.
So what should family offices be doing right now?
With such a tight timescale for reporting it is vital that family offices have a clear and regularly rehearsed plan for managing a data breach. That plan needs
One: A team with clearly defined roles, expectations and training.
Two: An internal Breach Register or Log also needs to be set up and maintained. Data should be stored with appropriate security measures determined by its sensitivity and value.
Three: All staff should be trained to look out for suspicious behaviour and online activity.
Four: Data protection clauses should also be reviewed to ensure they require data processors and other third-party handlers to proactively notify the family office of any breaches they might suffer and insurance policies should be revisited to assess their coverage in case of a breach.
With research undertaken by Schillings revealing that 28% of family offices have experienced a cyber attack in the past and of those, 77% had been subject to phishing campaigns, family offices must begin the process of making the transition from ‘we’re not a target’ to ‘everybody is a target’ when it comes to their cybersecurity.
This starts with family offices getting interested in their data before someone else does.
Schillings Top Tips: ASSERT your cyber-strength
Awareness training – Customised awareness training should be put in place.
Simulation – Attacks from Ransomware or phishing emails and other sorts of social engineering should all be periodically rehearsed to test infrastructure security as well as the family office’s ability to react quickly and cohesively.
Scanning – The family office’s network and website should be regularly scanned for vulnerabilities as should the digital footprints of the principal and family members.
Ethical hack – An ethical hack should be commissioned to provide a real-time simulated attack on the family office to assist in awareness training and ensure that all staff appreciate the value of the data they are handling.
Resilience – An analysis of the risks associated with all the possible sources of attack from bad leavers to competitors and cyber-criminals, and how they might be mitigated.
Team – Every member of staff in a family office should be regularly rehearsed and clear in their roles and reporting commitments in the event of a cyber attack or data breach.
Magnus Boyd is a partner at Schillings, an international law firm specialising in privacy and security consultancy. Schillings has extensive experience working with family offices and their principals, on issues such as cyber attacks, data theft, privacy threats, family conflict and divorce, and media intrusion.