Top 5 Cybersecurity Practices for Family Offices

Cybersecurity statistics over the last 10 years show that family offices are at increasingly higher risk for targeted data breaches.

According to Campden Wealth, 28% of family offices and family businesses have experienced cybersecurity breaches. Family offices are targeted because they can have the wealth and assets of a mid-sized enterprise, but without the typical corporate defenses in place. Family offices tend to have a small staff, access to sensitive financial information and they represent prominent and well-known families and celebrities. That makes them the ideal target for cybercriminals.

This article covers five critical areas that family offices should consider when addressing cybersecurity risks. 

1. Have a Company-Wide Cybersecurity Policy

 According to CNBC, less than a third of family offices don't have a well-developed cybersecurity policy.

• Changing passwords frequently and choosing difficult security questions.
• Adoption of a password manager to avoid using the same password multiple times.
• Using two-factor authentication when possible to verify instructions, especially for wires.
• Use of encrypted email for personal client information such as birth dates, addresses, account numbers and legal and investment-related documents.
• Frequently backing up performance on all systems and data files
• Using a VPN remote access 
• Automatic updates on all PCs and mobile devices

 

2. Require Regular Cybersecurity Training

In order to combat social engineering attacks, employees need to be trained on best practices, potential threats and protection processes designed to avoid attacks. Firms should implement regular, corporate-wide employee training and make it part of their onboarding process. This training should extend to clients and family members as well. Your data security is only as strong as your weakest link. Cybercriminals have shifted their focus to softer targets (people) to help get around when firms have implemented electronic detection and preventive measures.

 

3. Prepare an Incident Response Plan

The time to figure out how to respond to a security breach is not after it has happened. Firms should have a playbook to follow in the event a security breach has been discovered. The plan should consider how to quickly contain the damage and who is responsible for shutting down which systems, and a communication plan should be in place for internal and external stakeholders. This plan should be practiced and revised on a regular basis. Unfortunately, in today’s environment it is not a case of if you will have a cybersecurity breach, but when.

 

4. Set Security Standards for Technology Vendors and Service Providers

The reality of many family offices is that they rely on outside vendors to provide and augment the services they provide to family members. These vendors act as an extension of the office and as such they could expose your office to security threats. 

Ask your technology partners to share their security policies and protocols. Have they gone through a SOC (Service Organization Controls) audit, and can they share the findings of the audit with your firm? What providers do they use, such as for hosting and security reviews? Have them included in any security review you may perform.

 

5. Implement Background and Credit Checks

All employees and new hires, including household staff, should go through a background and credit check on a periodic and ongoing basis. The personal situations for your employees can change over time. For example, the financial stress caused by their spouse losing their job may put an employee in a compromised position.