From Ohio school computers to nationwide hospital operations and Donald Trump’s presidential campaign, cyberattacks are compromising vast areas of society. Family offices are no exception, with ultra-high-net-worth individuals being a top target for criminal groups around the world.
“Even though family offices might be small employee-wise, they really need to think of themselves like medium-sized companies, because the assets they control be be significant,” said Michael Ehrlich, former chief of operations for a cyber defense group at the U.S. National Security Agency. “It's surprising the number of businesses and family offices that have in the past four or five years fallen victim to business email compromise attacks and wired money completely to the wrong account, with the best of intentions.”
Ehrlich is now a founding partner of Trifident, a cybersecurity consultancy that works with single and multi-family offices ranging from 30 to 250 employees. In a survey by J.P. Morgan Private Bank of 190 family offices, with an average net worth of $1.4 billion, 24% said they’ve been hit with a cyberattack, and 40% view cybersecurity as a top area of concern.
“We’re trying to help family offices rethink cybersecurity,” said Ileana van der Linde, head of cyber advisory at J.P. Morgan. “A lot of them believe this is a technology problem. But most cyberattacks don’t happen through technology; they happen because of people and process.”
Remove ‘weak links’
Before starting Annapurna Cybersecurity Advisors, cybersecurity expert Tony Gebely spent a decade as chief technology officer at the Family Office Exchange. Now when working with family office clients, Gebely conducts threat assessments that often identify work-from-home infrastructure as contributing to greater cyber risk than traditional office environments.
“We find a lot of weak links in individuals’ households — personal devices that aren’t being managed by anybody, personal emails that are receiving investment reports for the family office,” Gebely said.
“One of the first things we do when we start working with a new family is we look at if there’s any contracts with AV [audiovisual] companies for the different houses they own. Because a lot of times, you’ll have an AV company that installs not only AV equipment but networking equipment, and they are notoriously horrible at cybersecurity best practices.”
Firms like Annapurna and Trifident will help their family office clients select a managed service provider (MSP) to set up IT systems, as well as a managed security service provider (MSSP) to monitor networks for cyber threats.
This month, the cybersecurity services vendor BlackCloak raised $17 million to grow its platform for protecting family offices and corporate executives. Other potential cybersecurity vendors for family office and financial service providers include Thrive, Pro4ia and ECI, while Mastercard recently agreed to buy the cybersecurity firm Recorded Future for $2.65 billion.
“Over the past decade, nation-states and cybercriminals have shifted their attention from the well-defended walls of corporate environments and investment banks to softer targets that are easier to penetrate,” said Mark Donnelly, a partner at Baird Capital, which invested in BlackCloak. “This means that high-net-worth and high-profile individuals, family offices and corporate executives are increasingly falling prey to bad actors.
Family offices are encouraged to develop education programs to outline policies around wiring money and financial transactions, monitoring phishing attempts, using personal devices and adapting app-based, multifactor authentication. But they’ll want to extend these protocols to not only their family members and staff but also external partners.
“Third-party risk for family offices is significant since many rely on external counsel and outside tax or investment support, where the third-party provider holds private, personal, and proprietary data belonging to the family office,” said Ehrlich. “If those providers are breached the family office data is at risk. We’re increasingly seeing cyber breach notification clauses included in family office support contracts—things like a notification requirement within eight hours of a breach, description of affected data, things like that, to keep the family office in the know.”
Cybersecurity firms have to keep up with hackers leveraging artificial intelligence, such as the fraudsters who used deepfake imagery to persuade a Hong Kong finance worker to send $25 million after a videoconference call that impersonated the firm’s CFO. In July, automaker Ferrari narrowly avoided being duped in a similar deepfake scam.
Mitigating a personal digital footprint is another component of cybersecurity, with companies like Hush offering services. “We have a lot of clients who when the Middle East conflict started last fall were very concerned about having information about themselves online,” said J.P. Morgan’s van der Linde. “We’ll help clients with what kind of tools are there to help reduce your digital footprint, to reduce that public information.”
‘Suck it up and don’t pay’
Finance industry law firms such as Norton Rose Fulbright and CohnReznick have practices that specialize in cyber incident response. Companies such as Chubb, PURE Insurance and Risk Strategies offer insurance services for cyberattacks. But Adriana Zalucka of the family office networking group FOTechHub hears that cyber insurance routes are often futile and limited.
“Sometimes it might not be the best idea to call your insurance [company]; because if you haven’t done all the things you said you’d do in the application, then you’re not going to get a payout, and you’re not going to get insured again,” Zalucka said. “Speaking to a lawyer or a trusted specialist adviser first is a better idea, because there’s also all kinds of regulatory issues once you do pay a ransom to a criminal.”
Added Ehrlich: “A lot of the insurers have their own negotiators; most threat actors want to be paid in cryptocurrency. My view is never pay, unless people's lives are at risk. If you're a family office, they've already stolen your data — lock down your systems, suck it up and don't pay. Because [paying] just keeps them wanting more.”
In May, Wired reported that hackers behind the Change Healthcare cyberattack on U.S. pharmacies and hospitals received a $22 million ransom payment via bitcoin. Ehrlich, who spent 10 years at the National Security Agency, said cyber attackers are rarely held legally accountable.
"The FBI always wants you to report a breach so that they have better stats and can track who the threat actor is," Ehrlich said. "But unless it’s a really big breach, the FBI is not going to do much about it.
“We’ve had threat actors where we actually know their names, where their phone is calling from in India. But what are you going to do, call up the local Indian police and say, ‘Hey, I've got a name and a phone number, he just extorted $1,000 bucks from me?’ "
A report from Cybersecurity Ventures found that global cybercrime has reached $9.5 trillion in estimated damages, which would rank as the world’s third-largest GDP behind the U.S. and China. But for family offices, advisers warn that cybercrime damages can exceed any financial loss.
“Family offices have a lot of sensitive data about families that aren't always financial in nature — divorces, crimes, reputation damage,” Gebely said. “If you lose money or get hacked of financial data, your insurance might cover that. But if your reputation is damaged, no amount of money can fix that. That’s the real risk.”