With cybersecurity breaches at well-known companies hitting the headlines, it is easy to believe that family offices which maintain a low profile would not be a prime target for digital fraud.
However, this ignores the attractiveness of the information that is stored by a family office, their advisers and their financial institutions—information and data which is potentially useful to criminals who wish to steal from, harm or damage the reputation of a wealthy family.
The threat for family offices has increased since the implementation of the Common Reporting Standard. Designed to help fight against tax evasion and to protect the integrity of tax systems, this is an information gathering and reporting requirement for financial institutions in participating countries which requires banks and investment management firms to collect and report certain information relating to each customer’s tax status.
The information requested under the Common Reporting Standard includes, name, address, place and date of birth (for individual and controlling persons) countries and jurisdictions of tax residence, tax payer identification numbers, place of registration and incorporation for entities, entity type (for entities) and controlling person type for certain entity types. This information is sent by family offices and stored at financial firms and also communicated and shared with tax authorities—thereby creating additional points for unauthorised access.
The other big risk is the increasing interconnectedness of devices as part of the internet of things (IoT) and the use of cloud computing.
Wealth permits families to purchase the latest and the best in designs and technology, whether that is for their entertainment, their transport or their homes. But, if your home and your car are tracking your movements, then who else might be able to gain access to this data? The use of social media to share seemingly innocent news can also give cybercriminals valuable information on family whereabouts, habits and activities.
Cybercrime may not always arrive from outside the family office via a virus or malware. It is important to recognise the human risk factors. Always perform full due diligence checks on new staff and any outsourced service providers before hiring. Individuals who suffer financial stress because of issues such as addiction and gambling, or who are at risk of blackmail, can be targeted by criminals looking to gain unauthorised access. An outsourced service company could permit access by unvetted staff and poor cybersecurity practices could infect your systems and devices. Your solicitor will be able to advise on precautionary measures when reviewing any outsourcing arrangements.
It is also important to keep staff and outsourced providers under review to ensure that vulnerabilities do not arise. Control who has access to your data and services, limit who has administrative account privileges, and remember to keep these under regular review. Training in your cybersecurity policies and practices needs to be a regular occurrence.
Many family offices are not large enough to employ a dedicated IT specialist, but it is vitally important that directors become cyber-aware and act to protect confidential data and equip themselves to mitigate cybercrime.
While perfect security cannot be guaranteed, the threat to families can be mitigated by taking basic steps such as: implement firewalls; upgrade security settings; adopt best practice for passwords; use two factor authentications for important accounts; only permit downloads of software from approved sources; protecting yourself from malware; and keep your devices and software up to date.
Family offices need to put in place a crisis management plan in case they suffer a data breach or another kind of cybersecurity attack. The crisis management plan performs three key functions.
Firstly, you need to have a disaster recovery plan in place with your IT provider which ensures access to backups in case your system is subject to a denial of service attack, or it is held to ransom and threatened with deletion of data unless a ransom is paid.
Secondly, you need a communications strategy to deal with internal communications and reputation management. You should maintain a list of key stakeholders and contacts to warn in the event that anyone tries to attack or compromise your contacts. Your solicitor should be included to handle any regulatory duties to notify data breaches.
Thirdly, you will need an audit of all devices and data storage to ensure that problems can be isolated and contained and weaknesses identified. Plans will need to be drawn up to reduce the risk of a similar attack happening again.
It is vitally important that you keep cybersecurity under review, that you update policies and procedures as the nature of threats and actors change, and that you ensure everyone in the family office is aware of their role in managing this risk.