If your family office was hit with a ransomware attack, would you know who to call? What if a member of your household inadvertently polluted your home network, which you also use on occasion for business?
These types of troubling scenarios are how Robert Moerman, a cybersecurity partner at KPMG in Canada, gets the attention of his family office clients. And too often the answer is either “No” or “I hope it won’t happen to us.”
In Moerman’s experience, it’s a risk that family offices can no longer afford to overlook. “You may be a smaller target, but it doesn’t mean you’re not a target,” he says. “Why do people rob banks? Because they have money. If a criminal knows they can get to you through your family office or even your home, that makes you an easier target than a bank.”
According to consultancy RSM, 83 per cent of family offices in the U.S. cite a cyberattack or data breach as their biggest operational risk.
While that may seem to be a technology problem, the root issue is human capital. Many smaller, under-resourced family offices don’t have the in-house expertise to implement security risk mitigation practices, nor a response plan to recover quickly. Compounding the risks are staff turnover and lax background checks, remote and hybrid work habits, and insufficient training and development. In a recent survey, legal services firm Dentons found that 45 per cent of family offices identify cyber and data security management as a key risk related to their internal staff.
“People are typically your weakest link,” says Ameer Abdulla, a Waterloo, Ont.-based partner with EY Canada who advises family offices. “In addition to the right technology, you need the right training protocols and processes in place to deal with threats.”
In the Dentons survey, 54 per cent of family offices reported that all staff participate in risk mitigation and security training and, among those taking part, 59 per cent do so only annually.
Do you lock your door? Is your filing cabinet locked?
Ameer Abdulla
However, even dedicated annual training is likely no longer enough—not with rapidly evolving and increasingly sophisticated security threats based on artificial intelligence, deep fakes and social engineering infiltration tactics. “Quarterly security reviews are becoming more common in some of my clients,” says Abdulla.
Scaling security
Family offices with limited resources are challenged to put technology and protocols in place to ensure that staff do not fall victim to security breaches—or that they aren’t able to commit those breaches themselves. The Dentons survey found that while 80 per cent of family offices conduct pre-employment background checks on all staff members, only 37 per cent periodically reassess the security profile of employees.
Moerman notes that while more family offices in Canada are hiring people into roles with some degree of accountability for security, they often aren’t able to provide comprehensive risk mitigation.
Instead, some family offices are turning to a fractional model and retaining the services of an outsourced chief security officer (CSO) or chief information security officer (CSIO). Similar to how legal or accounting services are scaled, a fractional CSO/CSIO affords family offices expert advice to set up an effective cybersecurity program that takes into consideration people, processes, data and technology. “I find that with smaller offices, anything scalable is the right answer,” says Abdulla.
In addition to up-to-date security training and ensuring IT best practices—multi-factor authentication, access controls, encryption, monitoring and activity logs, backup and recovery strategy, and network availability—a fractional CSO/CSIO can also provide a broader and more nuanced view of security risks. Those can include physical security, home IT environments, securely accessing family office material on personal mobile devices, and travel risks.
“It’s valuable to work with someone who has senior-level experience and understands how to bring together in a unified way all the different threats and risks that you’re exposed to as a family office,” says Moerman. “It can be as simple as wanting to make sure you’re not monitored in the hotel room when you travel overseas. It’s about having the experience to ask, ‘Have you thought about this?’”
But CSO/CSIOs can also identify more commonplace security risks. Abdulla says family offices often need clearer protocols for how certain kinds of information or documents get saved, file naming conventions and encryption standards. “Even things like, do you lock your door? Is your filing cabinet locked?” says Abdulla. “Those are some of the blind spots that I’ve seen at smaller family offices, where they may share a space as the operating business.”
Fractional CSO/CSIOs also come with the knowledge to recommend reliable services that scale to a family office’s resources and risks, such as cloud-based solutions that securely consolidate data and control access, search firms that conduct detailed online background checks of potential hires, and so-called “white hat” hackers that stress-test security protocols by mimicking actual infiltration attempts.
Family first
Just as every family office needs a good lawyer, Moerman says they now also need to retain their own security expert.
“The security issues that a family office deals with are bigger than the family office,” says Moerman, noting how family offices and their founders are often connected to other corporate entities. “It’s really about having somebody who represents the interests of the family office, but also understands the business environment of those associated enterprises.”
Despite their small size, family offices are uniquely vulnerable to security risks, and complacency could come with a high price tag. As Moerman bluntly puts it: “You pay now, or you pay later.”
Please visit here to see information about our standards of journalistic excellence.