June 21, 2022
Cybersecurity statistics over the last 10 years show that family offices are at increasingly higher risk for targeted data breaches.
According to Campden Wealth, 28% of family offices and family businesses have experienced cyber security breaches. Family offices are targeted because they can have the wealth and assets of a mid-sized enterprise, but without the typical corporate defenses in place. Family offices tend to have a small staff, access to sensitive financial information and represent prominent and well-known families and celebrities. It’s the ideal target for cybercriminals.
This article covers five critical areas that family offices should consider when addressing cybersecurity risks.
1. Have a company-wide cybersecurity policy: According to Forbes, 40% of family offices don’t have a dedicated cybersecurity policy in place. A cyber security policy should include:
- Changing passwords frequently and choosing difficult security questions
- Adoption of a password manager to avoid using the same password multiple times
- Using two-factor authentication when possible, to verify instructions, especially for wires
- Use of encrypted email for personal client information such as birth dates, addresses, account numbers and legal and investment related documents
- Frequently backing up performance on all systems and data files
- Using a VPN remote access
- Automatic updates on all PCs and mobile devices
2. Require regular cybersecurity training: In order to combat social engineering attacks, employees need to be trained on best practices, potential threats and protection processes designed to avoid attacks. Firms should implement regular, corporate-wide employee training and make it part of their onboarding process. This training should extend to clients and family members as well. Your data security is only as strong as your weakest link. Cybercriminals have shifted their focus to softer targets (people) now that many firms have implemented electronic detection and preventive measures.
3. Prepare an incident response plan: The time to figure out how to respond to a security breach is not after it has happened. Firms should have a playbook to follow in the event a security breach has been discovered. The plan should consider how to quickly contain the damage and who is responsible for shutting down which systems and a communication plan should be in place for internal and external stakeholders. This plan should be practiced and revised on a regular basis. Unfortunately, in today’s environment it is not a case of if you will have a cyber-security breach, but when.
4. Set security standards for technology vendors and service providers: The reality of many family offices is that they rely on outside vendors to provide and augment the services they provide to family members. These vendors act as an extension of the office and as such they could expose your office to security threats.
Ask your technology partners to share their security policies and protocols. Have they gone through a SOC (Service Organization Controls) audit, and can they share the findings of the audit with your firm? What providers do they use, such as for hosting and security reviews and have them included in any security review you may perform.
5. Implement background and credit checks: All employees and new hires, including household staff, should go through a background and credit check. Credit checks should be performed annually and background checks at least every three years. The personal situations for your employees can change over time. For example, the financial stress caused by their spouse losing their job may put an employee in a compromised position.
The threat from cybercrime is ongoing and with the pandemic resulting in most firms working remotely, now is the time to revisit your risks and plans in this area. Review what assumptions have been made about the work environment and how that has changed. If your plans were based on the assumption of a workforce that worked from the office and now is working remotely you may have unintended security gaps.
This blog post is for educational and informational purposes only. It is provided as a courtesy to the clients and friends of AgilLink. AgilLink does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of AgilLink. Please cite source when quoting.
AgilLink is an RBC company and a wholly-owned subsidiary of City National Bank Member FDIC
City National Bank is a subsidiary of Royal Bank of Canada. Deposit products and services are provided by City National Bank.