Cyber-crime statistics indicate that family offices are becoming more frequent victims of targeted data breaches, often wreaking havoc on systems and posing a significant reputational and financial risk when sensitive information is accessed. Twenty-eight percent of international families, family offices and family businesses have already been victims of cyber-attacks, according to a new study from Campden Wealth and Schillings, with just one incident costing a family $10mn. Considering that almost 50% of Ultra High Net Worth family wealth is being managed through Family Offices, it is critical that adequate measures are put in place to defend these firms from the growing threat of increasingly sophisticated cyber-attacks.
Projections indicate that the global cost of cyber-crime could reach a staggering $6 Trillion by 2021, with up to 90% of all companies falling victim to cyber-attack. Emile Salawi, Head of Family Offices BNP Paribas, stated in a recent interview: “ Today, Cyber-security is one of the three most important focus areas for Family Offices. Traditionally, families have relied on banks to exercise necessary governance and compliance requirements when it comes to protecting information and funds, but the time has come for families and family offices to take more responsibility for the protection of their own data, with consideration to the entire information and document flow”.
It Starts With An Email
92% of all malware is still delivered via email, mostly in the form of targeted phishing attacks, the intent being to trick recipients to download an attachment or click a link. Additionally, executive email accounts are often compromised, allowing fraudsters to impersonate individuals who have the authority to instruct wire transfers or obtain confidential information.
Brand New Threats
On a daily basis, new threats like Ransomware and Cryptojacking seem to pop out of nowhere, making the viruses from yesteryear seem like child’s play. Ransomware, those malicious programs that encrypt your files then demand bitcoin payment to restore them, received much attention in 2017 due to the NotPetya outbreak. The financial impact of this form of malware is often underestimated as the direct ransom cost is estimated to represent only 10% of the full productivity impact. Despite all the hype and publicity around ransomware, by the end of 2017 it was Cryptojacking that had become the most popular form of cyber-crime with 90% of remote code execution attacks involving the unauthorized use of other people’s computers to mine cryptocurrency.
Social networking has fast become the preferred communication platform for both individuals and businesses, with sites such as LinkedIn, Facebook, Instagram, Twitter dominating the social media landscape. These platforms pose a significant risk to Family Offices with organized criminal networks exploiting this space, extracting sensitive information that could have a devastating reputational impact and even compromise the personal safety and security of family members.
Why Family Offices Are Being Targeted
- Approximately 40% of Family Offices do not have a dedicated cyber-security policy in place.
- Typically, there is under-investment in the necessary information technology systems.
- Governance structures and guidelines relating to information security are generally informal.
- High-profile family offices become obvious targets due to the potential extortion value attached to reputational threats.
What Interventions Are Required?
Information Security Policies and Procedures need to be drawn up and regularly reviewed to ensure that they are still adequate and relevant, and that staff are well trained on how to apply these guidelines in their day to day work. It is recommended that Family Offices employ a 3rd party specialist to assist with auditing their cyber-security requirements, and providing recommendations from a people-, process- and systems perspective. Some policies and guidelines to consider:
- Using an authentication process for verifying instructions like wire transfers.
- All emails which include private information such as bank details, credit card numbers etc. to be encrypted.
- Off-site backing up of data.
- Regular cyber audits to ensure that confidential information is secure and that all publicly accessible information is scrutinized.
- Rules regarding the opening of links or attachments to be clearly stipulated.
- Personal and work resources to be separated, with sensitive company information not to be stored on any personal devices or shared publicly through social media.
- Company information to only be accessed using prescribed security tools and avoiding access to company networks through unsecured connections like public WiFi.
- IT system updates and upgrades to be employed across all devices to ensure maximum protection from cyber threats.
- Clear response plan in the event of a cyber-attack.
- Consider cyber-insurance.
The bottom line is that there is no longer room for complacency when it comes to implementing the right systems, policies and procedures to maintain the security and privacy of company data.