Wealthy people and family offices: Hackers see you and know you're not ready

Article content

It’s a rare day for anyone with a mobile phone and computer to not come across a text, email or voicemail supposedly sent by a credit card issuer, Canada Revenue Agency or a recent inheritor of millions of dollars who wants to share the windfall in exchange for the recipient’s banking information.

Cybercrime has become an expected hazard of digital life for individuals and organizations. According to the management consulting firm Accenture, cyberattacks worldwide increased 125 per cent in the first months of 2021. California-based publisher and research firm Cybersecurity Ventures estimates that the financial impact of these attacks – which are carried out through various methods that include phishing and ransomware – will reach US$10.5 trillion annually by 2025.

That should set off alarm bells among wealthy families and their family offices, which have become prime targets for cybercrimes.

“Family offices have not caught up when it comes to strategies for cybersecurity,” says Mike Krygier, a Toronto-based cybersecurity consultant who has worked as head of digital transformation security at Google and as deputy chief information security officer for the city of New York. “It’s not surprising that a large number of family offices have experienced cyberattacks.”

Indeed, a 2020 report by the law firm Dentons said about one in four family offices has suffered a cyberattack, with almost two-thirds of these attacks occurring within the last 12 months. A survey of single-family offices by consulting firm EY presents an even more dire picture: almost three-quarters of the 257 respondents said they’d experienced some form of cybersecurity or data breach.

Krygier recently launched a boutique consultancy and service provider called Deep Cove Cybersecurity, which serves ultra-high-net-worth and family office clients. He sat down recently with Canadian Family Offices to share his thoughts on cybercriminals, the risk they pose for wealthy Canadians and their family offices, and potential solutions.

Pretty much anyone who does anything online is at risk these days from hacking and cyber-scams. Are the risks greater for family offices and wealthy people?

The threats are similar across the board. But there’s more at stake for high-net-worth families and family offices because their assets are significantly higher in value than the average Canadian. When you’re looking at something like an email scam where somebody asks you to send them money, the average Canadian may be able to send several thousand dollars. But if a wealthy person or family office staff gets tricked, they could potentially send hundreds of thousands of dollars, or even millions.

Really, millions? Could someone really be tricked into sending millions of dollars in a cyberattack?

Sure, it can happen. There was a Financial Times article last year that described an incident where a family office’s client got an email supposedly from an art dealer he had been negotiating with for some time. Hackers who had infiltrated the system had been reading the correspondence between the client and this art dealer and were able to impersonate the art dealer so well that the client almost sent six million (British) pounds as payment for a piece of art. Fortunately someone at the family office decided to confirm the purchase with the real art dealer before approving the payment.

It’s a big worry for family offices that the company or software that’s securing their systems can also see every file they’re opening and every website they’re visiting.

Mike Krygier, cybersecurity consultant

Wealthy families tend to live and hold assets in different parts of the world. Does this make them more vulnerable to cyberattacks?

Cyberattacks are global in nature and can originate from anywhere. While there are groups focusing on particular geographies, most attackers don’t limit themselves to any particular group of people in a particular part of the world. You could be a Canadian with assets in Singapore and come under attack from hackers in Costa Rica.

Are some countries better than others when it comes to fending off cyberattacks?

Some jurisdictions, like Singapore, Switzerland, New York and London (England), have fairly sophisticated cybersecurity technologies and systems. But regardless of the country your assets are in, the potential risk tends to lie in the bank or financial services firms you’re dealing with. It’s important to do your due diligence to understand their security posture.

I would argue that even in Canada our banks are lagging in their cybersecurity best practices when compared to what other countries are doing.

What are the most common risks and modes of attack?

The attacks can be categorized into two primary types: those that use social engineering to target individuals or businesses, and those that use technology or IT infrastructure.

Attacks based on social engineering are designed to effectively trick people and cause them to take action on their computer by attempting to demonstrate some kind of association or affiliation with the target. This could take the form of a message from someone pretending to be a family member – like a grandchild in need of money – or perhaps it’s a fake invoice from a company that a lot of people pay routinely and would not be scrutinized as much.

These attacks are not so much utilizing technology as they are exploiting relationships.

The other type of attack uses technology as the primary tool and doesn’t require the individual to take action. We all have computers and mobile phones and these devices have vulnerabilities, like bugs in software that allow behaviour not intended by the manufacturer of that software. Attackers look for these vulnerabilities and use them to induce your system to give them access to your computer. Once they’re in they’re able to take a series of other steps to access any website you’re accessing, steal your passwords and credentials, read your email, and install ransomware.

Hackers have become aware of the fact that family offices are overseeing all this money but many don’t have the enterprise-grade security that banks have.

Mike Krygier

This type of attack is sometimes used in conjunction with social engineering, where the attacker might pretend to be Microsoft or someone in your IT department and ask you to change your password or install something on your computer.

A number of recent surveys have highlighted cybersecurity as a serious — and growing — problem among family offices. Why is this happening?

I think hackers have become aware of the fact that family offices are overseeing all this money but many don’t have the enterprise-grade security that banks have. With the pandemic, family offices have also been working from home where there’s even less security. So they’ve become an easier target.

A big problem for family offices is the lack of a trusted cybersecurity provider. Family offices place such a big emphasis on privacy, so it’s a big worry for them that the company or software that’s securing their systems can also see every file they’re opening and every website they’re visiting. Some family offices choose to buy off-the-shelf security solutions that they can install themselves, but that’s not really a good idea.

So what’s a better solution?

Family-office best practices for cybersecurity start with mature IT and strong internal controls. It’s really important to find a provider with cybersecurity offerings designed specifically for the needs of a family office. Ideally this provider has experience in the family office space and can provide a high level of assurance about what information they’re accessing, why that information is needed to protect systems, what they’re storing and not storing, and how effectively they can limit who can access that data. The information should ideally be stored in accordance with the family office’s data residency requirements, for example on servers in Canada so the data is not subject to the laws of other jurisdictions, like the Patriot Act in the United States.

As far as internal controls go, this starts with vetting family office staff very carefully and then establishing policies and procedures, such as rules around account sharing and setting secure passwords along with additional authentication steps, and in general maintaining a level of security awareness among family office staff and clients. Family offices should also have safeguards built into their processes. This could be something as simple as providing instructions for the bank to validate transactions at a certain amount or having someone on staff confirming high-value transactions before they’re put through.

As a key practice, family offices should create an incident response plan that details what they need to do if a cybersecurity incident happens – what are their first steps, who should they call, how will they react to a ransom demand? Unfortunately this is something people only think about after they’ve experienced a cyberattack.

We know that most high-net-worth families travel a lot or divide their time between residences in two or more countries. What do these global families need to know about keeping their data safe from cybercriminals?

In most countries border and customs agents have broad rights that include the right to seize your electronic devices. Whether you’re a wealthy individual or a family office team member with client information on your laptop or your phone, you need to be aware that this confidential information could be at risk if you’re ever stopped at an entry point into another country.

I recommend travelling with the minimum possible amount of confidential information. If you need access to this information, the best thing is to keep it stored in the cloud with servers located in Canada that you can access without transferring or downloading the information. And don’t use free or public WiFi – it’s better to tether your laptop to your mobile phone.

Depending on the jurisdiction you’re travelling to, consider bringing a lower-cost device you won’t necessarily need after your trip, so that when you come back you can just wipe it and maybe donate it to a charity.

What security technologies should family offices be investing in today? And are these technologies affordable for family offices, which typically don’t have the IT budget you might see at a bank?

It is feasible today for family offices to get access to enterprise-grade firewalls or financial industry-grade security technology. Endpoint detection and response solutions are one example of an effective security tool that a family office should have as part of an overall cybersecurity strategy. This technology along with 24/7 cybersecurity monitoring allows you to watch what’s happening across the network and on the computers being used across your organization. It’s like a home monitoring system for your family office, where alarms go off when there’s any unusual activity or a potential breach so you can respond quickly.

A lot of businesses today are also moving to things like two-factor authentication, and this is best done with a device such as a YubiKey, which is a physical token you plug into your computer to authenticate the identity of the user. The newest generation of these devices has biometric technology, so even if it is stolen someone wouldn’t be able to use it.

None of these technologies is tremendously expensive, although there is a bit of a premium compared to their consumer-grade equivalent. But if you look at the assets at risk versus the cost of prevention, I think you’ll quicky realize it’s worth the investment. Because once the attackers are in and they’ve taken the data – and are ready to use it to steal your money or your clients’ money – there’s no putting that genie back in the bottle.

More from Canadian Family Offices:

• How to short-circuit family disputes, avoid a ‘Succession’-worthy mess
• As ‘godfather’ of family offices, Tom McCullough and his vision stand test of time
• How to avoid tarnishing family harmony when passing down jewellery

Please visit here to see information about our standards of journalistic excellence.