- More than one-third of family offices had at least one cyberattack in 2022.
- Firms that serve the wealthy spend too little to fend off email hacks and ransomware.
- Insider spoke to EY about why the rich skimp on security and how they can protect themselves.
When it comes to fending off hackers and other cyber threats, the world’s richest people can be surprisingly stingy.
Many set up family offices to manage their affairs with these firms ranging from hedge-fund-esque vehicles with chief investment officers to small operations with a few employees who handle bill pay. Analysis of North American families by Campden Wealth found that, on average, offices held about $2 billion in assets but spent only $48,000 on cybersecurity.
More than one-third of North American family offices experienced at least one cyberattack in the past 12 months in 2022, per Campden. But despite having the financial resources, many family offices are reluctant to beef up their cybersecurity because the return on investment is unclear until it’s too late.
It comes down to three problems, said Bobby Stover, who leads family office and enterprise services at Ernst & Young. When it comes to cybersecurity, family office principals are cheap, uneducated, and “don’t want to deal with it,” he told Insider.
Why family offices are so vulnerable to hacks
Like the rest of us, the rich have gadgets like Amazon Alexas, routers, iPads, and smart TVs that connect to Wi-Fi and pose security risks. The problem is compounded when you consider several generations of a family across multiple properties, jets, and yachts, according to Dave Burg, who leads cybersecurity consulting at EY Americas.
The accounting giant helps process cyber insurance policy claims, assesses risk, and, in partnership with tech firms like Microsoft and Crowdstrike, helps family offices develop response plans to cyber threats.
Simple things like not updating a laptop or phone can pose a risk. A common mistake principals make is assuming someone else is taking care of these seemingly trivial tasks, according to Stover.
“Families are porous, and the number of electronic devices and vendors that they have now makes them more porous,” he said.
One of the most common hacks is email compromise in which someone impersonates a family member via email and requests the family office to send a wire transfer, said Burg. The money is lost before the breach is discovered.
Another common attack, known as ransomware, is when someone infiltrates the family office’s servers and threaten to expose personal data or blocks access to it until the family pays up.
There are many ways to prepare for cyberattacks such as penetration testing. “Pen” tests, usually conducted by a third party, assess a company’s security by attempting a hack. They cost anywhere from $25,000 to $65,000. Additionally, hiring a full-time chief information security officer (CISO) to monitor threats can cost anywhere between $300,000 to $500,000 a year, but family offices often struggle to understand the benefit for the price, according to Stover.
But the price of a hack can be far worse. One survey found an incident that cost a family office more than $10 million. In one instance, according to a JPMorgan whitepaper, a family office paid a ransom of $500,000 after being locked out of its servers for 10 days.
An ounce of prevention is worth a pound of cure
Pen testing is just one measure family offices can take to fend off threats.
The first step is basic education in cybersecurity for both staff and family members. Employees can make surprisingly simple mistakes like writing passwords down on a sheet of paper kept in the office, said Stover.
Many principals feel their staff should be educated rather than themselves or their families, he said. But families can create problems when, for instance, a Gen Z heir posts an Instagram on the family yacht and tags their location.
Stover added that reviewing security protocols and taking inventory of all electronic devices are a few preemptive measures that lower the chances of cyberattacks.
And family offices should have incident response plans. The faster a family can identify a cybersecurity breach, the more likely the attack will result in significant losses, Stover said.
“If you don’t have an incident response plan, by the time you pick up the phone and call EY and I can get Dave on the phone with you to even figure out what happened, it’s probably too late,” Stover added.
Read the full article here