FB News

Prioritising risk management for family offices

By Edward V Marshall

An inconvenient side effect to living in today’s fully digitised world is that threats have also gone digital—become more difficult to discover, track and neutralise. All financial institutions are now faced with the colossal task of protecting against increased threats to their business, no matter how ‘under the radar’ their profiles have traditionally been—family offices included.

And yet, while family offices have seen great development in almost every area of their operations and business, their risk management processes have remained stubbornly lagging. Indeed, even as the numerous vendors in the family office ecosystem have flourished in the last decade—supporting family offices with services in growing range and variety—how family offices prepare against threats has not improved greatly, if they even have a plan in place at all.

This might not surprise you. Family office executives are often classic examples of jacks-of-all-trades, managing everything from the day to day execution of the family office, to their core work of creating value and wealth, to all the other “outside of job description” consulting on everything from legal to accounting to philanthropic matters. What most family office executives usually are not, however, are security professionals or risk experts. Yet risk management will be one of the most consequential yet overlooked responsibilities of their job.

All action begins with awareness, and at the core, there are three main issues that currently inhibit proper risk management at family offices.

Underestimation of threats

Family offices are by nature discreet organisations that often actively work to maintain a low public profile. For a long time, this served as something of a security blanket for executives who thought that lack of public awareness or intense privacy translated to a natural protection of sorts. While this may have worked at some point, it’s certainly not possible in our age of information. Just because you’re not actively promoting your profile doesn’t mean that others can’t see you, and in some situations, it can actually make you a more attractive target. There is a misperception that bad actors only target large and well-known organisations because those are the stories covered most extensively by media. But small and medium sized enterprises, the category to which most family offices belong, actually receive the majority of cybersecurity attacks, perhaps precisely because criminals expect them to be ill-prepared.

Difficulty in assessing security needs

Despite how much the family office industry has grown and matured, there is still a lack of available data, benchmarking and analysis of challenges—risk management included—for family offices. There are also limited forums for family offices to get together and share experiences and results. Furthermore, due to the limitation in scale and size of most family offices, existing security vendors are often not specialised to serve their needs appropriately. Often designed for large enterprises, security vendors or solutions are usually too expensive, and either overly broad or too deeply focused on a specific problem to be appropriate for a family office. Lacking in both professional expertise and peer-set comparisons, family offices usually end up attempting to set up protective measures based on what they know, when what they don’t know is what they should be preparing against.

A reactionary mindset

In lieu of the two points noted above, many family offices will choose to spend resources on risk mitigation as situations arise, rather than as prevention. This isn’t difficult to understand—most family offices operate on very lean teams, and the staff is preoccupied with the more demanding issues at hand, rather than worrying about what could potentially happen. There isn’t time to undertake long-term planning exercises, and it’s always tempting to prioritise the happenings of the day over more theoretical concerns. This is exactly the kind of mindset that family offices need to overcome. Years of hard work, trust and value can be wiped out with a single, targeted cybersecurity attack, and the resulting resources required to clean up the mess will likely cost far more than putting plans and protections in place as a defensive move.

Looking ahead, family offices must first recognise that they’re not shielded from threats simply by virtue of their private nature. They must also understand that as they grow in size and expand their services, they are also expanding the available points of attack by bad actors—all of which should now be protected in a comprehensive manner. Whether it is cyber breaches, insider fraud or information leak, family offices should at a very minimum create a baseline assessment of risk and put in place an actionable plan to manage that risk. For family office executives today, it’s important to keep in mind that their responsibility doesn’t simply stop with the management of assets, but extends to the protection of those assets, the family office, and ultimately, the family itself.