A conference hosted by this news service focused minds on why family offices cannot afford any complacency about cyber-security threats, and set out steps on how to observe good "digital hygiene".
Family offices may be thought of by their founders as discreet, below-the-radar organizations unlikely to grab the evil attentions of computer hackers. But such thinking is a foolish mistake, given the financial sums at stake in the event of a breach.
There are about 4,500 US family offices and 10,000 family offices around the world, in total overseeing about $15 trillion in assets under management and a significant number are likely to have been hit by cyber-attackers. A danger is that family offices, by their nature, might be places where staff/family members take a less formal approach to their IT and communications than is the case with a bank. Again, such thinking is dangerously mistaken, a conference hosted on September 20 by Family Wealth Report heard.
The person making these points was Edward Marshall, who is director of the global family office group at Citi Private Bank. He spoke at the Family Office Cyber-Security Summit, held at the offices of Kobre & Kim, the law firm, in Third Avenue, NYC.
Speakers at the conference were John F. Curran, partner, Walden Macht & Haran; Benedetto Demonte, managing director, Cybersecurity and Investigations North America, Kroll Associates, Inc.; Annmarie Giblin, senior counsel – Cyber Liability, at Chubb Insurance; James Hunt, managing partner at Lavrock Ventures; Edward Marshall, director, Global Family Office Group, Citi Private Bank, Jake Norwood, director, Cyber Intelligence Center, Citi; Steven Perlstein, partner, Kobre & Kim; Theresa Pratt, chief information security officer, Market Street Trust; and John Ritchie, CEO, GDI Risk Advisory Group LLC.
The event was held within days of revelations that Equifax, the consumer credit reporting agency, had been breached, with 143 million individuals affected (its CEO has subsequently resigned). Banks, logistics firms, the UK’s healthcare system, German railroads, even the US Internal Revenue Service, have been hacked. Reports of such incidents are almost daily news events around the world.
"Perpetrator’s of cyber attacks now come in many forms ranging from criminal gangs to state-sponsored groups. While they may look different and have different motives, they
have learned to take time to penetrate a computer system, bide their time to amass information, and can extract data without victims knowing for some time,” Marshall told delegates. Marshall and Citi Private Bank advise some of the largest family offices globally on a number of matters, one of which is increasingly sybersecurity. He set out the landscape of cyber-security as covering three broad areas: people, processes, and technology.
Marshall spoke about a number of vulnerabilities, including how use of social media, such as Facebook and LinkedIn, for example, can leave family offices susceptible to cyber-attacks. Another problem is that even if a person is careful about their social media habits, their children may not be, creating another problem.
While banks and other financial organizations will normally be highly competitive with one another, they have a common interest in cultivating good cyber-hygiene, he said.
Another arresting statistic Marshall gave was that in 2016, some $3 billion was lost, touching 22,000 victims, as a result of hacks on business emails.
Law and liabilities
Chubb’s Giblin spoke on the theme of “Cyber-Risks and the Legal Landscape”, setting out the raft of criminal and civil law issues arising in the cyber-security landscape. In particular, she listed a dauntingly-long number of legislative acts – not just in the US – that affect industry practitioners. Among the important take-home points was her describing the need to understand the difference between a cyber-security “incident” and a “breach” .(The important difference being the confirmed compromise of sensitive information in a breach.)
Threats come from different sources: some can be rogue present and former staff. In fact, about a quarter of threats in firms are internal, she said. Such a point should not be lost on family offices, Giblin continued. And she noted that while many family offices aren’t registered with the SEC, some 48 states of the Union require the persons whose information was compromised in a data breach to be notified as well as the local government, with failure to do so properly resulting in fines and other penalties, she said. Rules also, to give another example, place the onus on financial firms to ensure proper cybersecurity protections are being utilized by vendors when outsourcing certain functions. With so many family offices outsourcing tasks to contain costs and obtain expertise, this is a significant issue, she said.
Having a robust, well-tested incident response process in place, including ability to obtain rapid legal protection, coupled with insurance cover, is important in reducing the pain of a cyber-attack as much as possible. In this context the proper insurance partner can provide considerable guidance and resources to help mitigate and prepare for this growing threat.
Giblin went through a list of the terms with which the industry needs to become more familiar, such as “phishing”, which is a digital form of social engineering to deceive individuals into providing sensitive information, or “website spoofing”, a term describing the creation of a replica of a trusted site with the intention of misleading visitors to a phishing site.
Under the title of Suits and Sanctions; Culpability and Cybercrime, Kobre & Kim’s Perlstein and Walden Macht & Haran’s Curran talked about the legal and litigation challenges of the cyber-security world. Perlstein, for example, went through the range of restraining orders and injunctions that can be used in the case, say, of former employees trying to take data from a firm. Most injunctions are negative but some are “positive”, he said. Following on from some of the insights of earlier discussions at the conference, Perlstein said a firm’s chances of winning a case will increase if it shows it had robust procedures and practices in place.
Curran gave a list of significant attacks on a range of banks from around the world, and went into some of the legal details associated with these attacks, the remedies sought, and the continuing issues these cases gave rise to.