Safeguard Your Family Office With This 10-point Cyber Protection Plan

Building A Better Working World

By guest contributor Charlie Carr, Americas Family Office Advisory, EY and Carrie Hall, Americas Family Business Leader, EY

Cybersecurity is a hot topic among family offices, and for good reason. Thriving family businesses have always been ripe targets for thieves and vandals, and the rise of the internet and electronic tools opened additional avenues for such criminals to operate — often with a cloak of anonymity.

With so many risks, and knowing that most family business professionals have very little patience for security and restrictions, we have developed this 10-point cyber protection plan family business leaders can tap to protect their company’s technology.

1. Technology inventory

The office should maintain an inventory of routers (including those at each family member’s home), computers, tablets, phones and other devices. The office needs to maintain these devices and make sure they have updated antivirus, firewall and similar software.

The inventory should also track family email accounts and how they are used. If the accounts are used for sensitive matters, it may be necessary to use secure or encrypted email, or perhaps another form of communication. Finally, it should track databases and the types of data contained therein.

2. Written cyber policy

Family offices should have a written cyber-protection policy, including a connected-device policy, a password policy, social-media policy and payment-authorization policy. Families rarely have penalties for violating these policies, but writing them down, communicating them and providing education urges the family to think about their behavior.

3. Cyber security insurance policy

If the family office oversees family businesses, blog sites or foundations with websites, they should consider cyber security insurance. Such policies can cover liability for loss of data, such as client personal data or credit card details; remediation costs, such as investigation, notification and repairs; and settlement costs, such as client-monitoring services, payments or regulatory fines.

4. Vulnerability assessment

Vulnerability assessments identify the weaknesses in a system. For a family office, this should include the family office, businesses overseen by the office (including a foundation office) and each family member’s home systems. Such assessments should be conducted at least annually.

5. Encryption tools

Most offices find it necessary to share confidential information electronically with family members and outside advisors. If sent in standard emails, the data passes through the internet and could be intercepted and read by hackers. One way to prevent this is to use email encryption tools. These tools encode the message before it is sent, and the receiver has a similar tool to decrypt and read the secure message. If someone intercepts the message, it will be indecipherable unless they have the proper decryption tool.

6. Identity protection

Despite all of the best efforts, there remains a risk that a family member’s identity could be stolen. There are many firms that will monitor any new account openings, credit requests and similar activity. They notify clients of any activity, giving them the opportunity to validate the request and prohibit transactions, if desired. They also can create a freeze, such that new accounts cannot be opened. If someone’s identity is stolen, these firms are experienced in helping the person recover from such theft.

7. Cyber education

The family office can use the most robust tools and vendors available, but they need to be paired with cyber education. Family members need to understand how their social media posts may cause harm, how thieves may use phishing techniques to obtain passwords or other key information, and how hackers obtain email passwords and use family member emails to request wire transfers. Cyber education should be a key part of annual family meetings.

8. Data backups

Few people have the discipline to consistently back up their devices on their own, making it a key function for the family office to address. It is generally preferable for backups to be stored off-site, which frequently requires a cloud-based provider. On-site backups could be lost if there is flood, fire or other disaster at the office. The office should research backup providers carefully to ensure security is not compromised. The office should automate the backups to the extent possible, so the family does not have to launch or initiate the effort.

9. Background checks

The family office should conduct criminal background checks annually on family office staff and vendors. In EY’s recent Global Information Security Survey, 57% of respondents said that the most likely source of a cyber attack is an employee, and 35% said it was a contractor working in their offices.

10. Network monitoring

Family offices should have staff or a vendor monitoring the family office network, business networks and family home networks, looking for signs of an intrusion. Very few family offices have the proper staff to do this internally, so they should rely on trusted outside firms. Such firms monitor systems 24 hours a day and can shut them down in the event of an attack.