Operational risk is a shared concern across all types of organisations, but family offices (FOs) face unique challenges related to the security and privacy of family members, as well as the safeguarding of financial assets.
Family offices must be vigilant against fraudulent activity by those seeking to exploit their role as custodians of substantial wealth. However, as revealed by The European Family Office Report 2023 by Campden Wealth in partnership with HSBC Global Private Banking, FOs are very much under threat, with cyber-attacks and data breaches being the most frequently cited operational risks causing concern for 51% of European family offices.
The report found that family offices which are not concerned (33%) or unconcerned (15%), likely base their confidence on the robustness of their own cybersecurity measures.
“Effective cybersecurity has both technical and human behavioural characteristics,” says Chuck Costanza, Executive Vice President of Global Guardian, a leading duty-of-care firm supporting high-net-worth families and family offices with a comprehensive suite of security, medical and emergency response services.
“The technology is fairly straightforward: Hardening networks against cyberattacks, monitoring for suspicious or malicious cyber threats, creating an incident response plan, and protecting all endpoint devices are hallmarks of good technical cybersecurity. On the human side, awareness is the best defence. It is estimated that human error, not the defeat of technical defences, accounts for 80% of successful cyberattacks.”
“Cybersecurity defences are facing ever more sophisticated attacks,” says Shelley Grayson, a Chief Compliance Officer in the fields of Financial and Web3 Services. “Tech defences are struggling to keep pace, which means people defences matter even more. Screening and supervision of potential internal bad actors, coupled with consistent social engineering training matter more than ever.”
“It’s important to understand your own environment; protecting family offices starts with establishing a clear picture of what information assets you have, in terms of what devices you have, what is the key information and where it is stored,” says Dave Harvey, Director of Cyber Response Services at KPMG. “From this, it is then possible to focus on protecting from threats through installing reputable anti-virus software and protecting devices by using inbuilt tools such as password protection, multi-factor authentication and precautions like avoiding unknown wi-fi hotspots and dodgy applications.”
Family offices must strike a balance between security and functionality while staying a step ahead of cybercriminals
- Chuck Costanza, Global Guardian.
Factors that could be considered concerning for family offices, such as the failure to upgrade technology, inadequate management information and reliance on too many manual processes, do not appear to be causing significant alarm among European family offices, according to the report. Only around a quarter of them describe concerns about these issues, suggesting that they might have well-established processes, controls and up-to-date technology solutions. However, considering the ingenuity of cyber-criminals, FOs need to stay on their toes.
“Family offices must strike a balance between security and functionality while staying a step ahead of cybercriminals,” says Chuck Costanza. “Locking down systems to the point of making workflows impractical is not a solution. That said, the ingenuity of cybercriminals is remarkable. The advent of generative artificial intelligence (AI) brings new threats, such as malware that can avoid detection, the ability to use a person’s voice or image to impersonate them and the ability to defeat CAPTCHA tests.
“According to a report by Splunk, 75% of Chief Information Security Officers polled believe that AI gives an advantage to attackers over defenders. Therefore, while sophisticated cyber defences and heightened user vigilance may seem sufficient, complacency in this arena is an advantage for cybercrime. Periodic audits for family offices to identify areas of improvement for cyber security are a best practice.”
The report - which is based on a statistical analysis of 102 survey responses from European single family offices and private multi-family offices with a collective wealth of US $177 billion - reveals that 11% of European FOs have been victims of a cyber-attack in the past 24 months. This percentage is notably higher than the incident rate among family offices in Asia-Pacific (only 3%) but much lower than the experience of North American family offices (19%).
“Attackers are incredibly transactional and have focused relentlessly on areas that have been most profitable for them,” says Dave Harvey on his thoughts about this global discrepancy. “This has seen a stark rise in cyber-attacks in Europe over recent years across all sectors. Why each area is targeted could be the result of specific regional conditions, such as differing regulatory regimes, general cybersecurity awareness, technological infrastructure and economic conditions.”
“The worldwide inconsistency in cyberattacks is likely due to several factors including willingness to pay ransom to cyber attackers, the prevalence of remote work, the prevalence of interconnected devices (Internet of Things), affluence of the targets, value of data, and common language play roles,” adds Chuck Costanza. “These elements all contribute to the attractiveness of a cyber target. In a 2023 report on cyber-safety, 14 of the safest ranked countries are in Europe. The US is ranked 16th safest.”
The majority of these incidents were simple phishing attacks which left no family suffering a material financial loss, system outage or data breach. However, a small percentage reported an insignificant loss. Overall, the reported frequency and severity of cyber-attacks is lower than perhaps expected, with 48% of family offices revealing they are not overly worried due to their confidence in the strength of their internal controls and protocols.
A highly likely scenario for a family office is that of a business email compromise attack
- Dave Harvey, KPMG
“Several factors could contribute to the small percentage of material finance loss as a result of cyber incidents and the confidence shown by family offices in their own cybersecurity, such as the use of cyber insurance to provide protection and renumeration in the event of an incident, or potentially even incorrect categorisation of incident,” says Dave Harvey. “A highly likely scenario for a family office is that of a business email compromise attack, where attackers try to convince businesses to transfer funds or disclose sensitive information. The result of this type of attack may be classed as fraud rather than cyber-attack and is seldom newsworthy, though often more common than ransomware. The UK National Cyber Security Centre has provided some useful information on this type of attack.”
In an increasing effort to combat cyber-crime, the report found that 83% of family offices employ back-up servers and 73% enforce a data security policy. Dual authorisation of payments (71%) has become the standard defence against theft and fraud. To a lesser extent, family offices also rely on staff training (49%) and their own family office handbooks (29%). In most instances, adoption of measures by European family offices is greater than their uptake by family offices globally. However, proportionally fewer European family offices have a business continuity plan detailing how operations might continue in the event of a natural disaster or other emergency.
“Having a business continuity plan is crucial to ensuring that business continues securely in the event of a natural disaster, terror attack, political unrest etc,” says Chuck Costanza. “Before needing the plan, family offices should identify a crisis team that would act in the event of a disruption, conduct a risk assessment, conduct a business impact analysis, develop an incident response plan with clear roles and responsibilities, and practice the response (such as a tabletop exercise).”
While solid systems and processes are vital to crack down on cyber-criminal attacks, human vigilance within the family office ecosystem is just as important in the fight against online fraud.
“Governance is not just about running board meetings talking about investment decisions,” says Shelley Grayson. “It's about fulfilling fiduciary duties alongside the privileges of managing wealth on behalf of others. This means that where family offices do not tailor, embed and test Interservice/Industry Training, Simulation and Education Conference (ITSec) governance, and basic operational resilience defences - such as Business Interruption Plans and multi-signature/factor authentications - they are failing in their duties to their principals.”
“There are a series of proactive measures that can be adopted by family offices to minimise the risk of fraudulent activity,” says Dave Harvey. “In addition to the development and maintenance of security controls around information systems mentioned previously, there are a range of activities that can be applied, such as: implementing the principle of least privilege and role based access; implementing segregation of duties; implementing background checks on employees; conducting due diligence on vendors and third parties used; training and educating employees on the signs of fraudulent activities and actions to take; and by considering legal measures to protect against fraud, such as contracts that emphasise security controls.”