Wealth Manager - the site for professional investment managers

Register to get unlimited access to Citywire’s fund manager database. Registration is free and only takes a minute.

Why family offices need to up their game on cyber security

Why family offices need to up their game on cyber security

‘There are only two types of companies: those that have been hacked, and those that will be,’ in the famous words of Robert Mueller, uttered in 2012 while he was the director of the FBI.

If the number of worldwide cyberattacks that took place this year taught us anything, it is that no one is truly safe. But new research has found that ultra-high net worth families (UHNW) and family offices do not even appreciate the greatness of the threat.

According to Private & Confidential: The Cyber Security Report, a study by Schillings and Campden Research, 38% of respondents do not have a cyber security plan in place.

Rod Christie-Miller, chief executive at consultancy Schillings, said: ‘We see lots of deliberate attacks on families and their businesses by those opposed to them. Whether they are blackmailers, disgruntled family members, business or political rivals – lots of people with an agenda are seeking stolen or private information to gain an advantage.

‘Even supposedly friendly parties, such as commercial partners and banks, are now using reputation to assess whether they want to do business with a family. While perfectly reasonable, the risk is that they will assess a family’s reputation based on “fake news” and reams of uncorroborated stolen data.’

He added: ‘There is a fine line between complacency and confidence. The link between private and confidential information being stolen, and the impact this can have on reputation, is not being made.’ 

The research findings

38% have no cyber security plan in place
28% suffered a cyber security attack,
77% of which subject to phishing
51% have never audited their publicly available information
34% take internal cyber security awareness training

 

The report makes a number of suggestions to combat this, which include investment in training, creating an incident response plan and not leaving it to just the IT department but taking a personal interest.

Key recommendations

  • Cyber security should be a board or head of family level issue and not left to the IT department
  • Further investment in establishing a human firewall will strengthen a family office’s or family business’ first line of defence against a cyber attack
  • You should be interested in your publicly available data and correct inaccuracies or remove untrue information
  • Include an incident response plan as part of your cyber security plan
  • In the event that your data is stolen as part of a cyber attack, there are things you can do to minimise the fall-out
  • If the stolen data is leaked online, don’t assume the battle is lost.

An example of this is B Capital, which is planning to launch a program to train and help family offices and investment boutiques to prepare for cyberattacks. Elsewhere, recently launched UHNW wealth boutique Infinity Wealth by Design has taken the threat so seriously, founder Elisabeth Dana said the firm spent 30% developing ‘military grade’ security, which was so sophisticated, the business received a tax break from HMRC in recognition of innovation.

However, looking at the numbers, there is still more to be done before family offices can fully combat the rising threat.

Jérôme Stern, founder of J Stern & Co, says that although cyber security is extremely important for family offices, in general because they are small businesses ‘most of them do not take enough care to raise their defences against potential cyber attacks’.

He added, however, that as the size of the businesses increase, in terms of people, clients or AUM, then cyber security becomes more of a recognised issue and better addressed.

‘At the end of the day it’s a fixed cost to the business. It’s super important and data is crucial to the business. If any of it gets stolen you have all sorts of complications and breach of confidentiality. It’s not a matter of if, it’s a matter of when.’

At J Stern & Co, he says that the company focuses on compartmentalising everything. Therefore if one part of the system is attacked, the rest can still continue to work. In addition, the firm has a disaster recovery plan in case everything is attacked at once, which allows it to access multiple back ups quickly. ‘Generally it’s about staying vigilant and making sure you do the investment and make sure you diversify the risk by having multiple systems,’ he said. 

Questions to ask at your next board meeting

  • How do we know if we have ever suffered a cyberattack?
  • What monitoring is in place to detect an attack?
  • Have we ever independently tested our IT firewall using a penetration test and if so when?
  • What steps are we taking to strengthen our human firewall?
  • Who has what information on the family and where is that information going, especially in light of the Common Reporting Standard?
  • When did we last rehearse our incident response plan and are we clear on who will do what in a crisis?

Leave a comment!

Please sign in or register to comment. It is free to register and only takes a minute or two.
Your Business: Cover Star Club

Profile: JM Finn on why the future is with financial planners

Profile: JM Finn on why the future is with financial planners

There is a lot of work on pension consolidation and Sipps have been a big driver there, says JM Finn chief executive

Wealth Manager on Twitter