Cybersecurity Best Practices for Family Offices

With cybersecurity breaches on the rise, here’s how family offices can better protect themselves.

Family offices are a key target for cybersecurity breaches and, with many organizations requiring their employees to work remotely due to the COVID-19 pandemic, the risks have only increased.

With cyberattacks on the rise, many family offices are focusing their attention on how to protect themselves. Here’s a look at some of the most common types of cybersecurity breaches and what family offices can do to stay safe.

Most Common Cybersecurity Breaches Amongst Family Offices

The most common cybersecurity threats that family offices fall victim to include Business Email Compromise (BEC), which encompasses ransomware, data theft and server access, ultimately targeting personnel. In addition, another threat to family offices is fraudulent diversion of funds flow.

BEC events typically occur through phishing emails designed to prompt an individual to click on a malicious link, open a malicious document or trick the person into disclosing their credentials for logging onto a corporate email system. Once the attacker gains access to a corporate email system, the damage is done, which can include data theft, fraudulent wire transfers, fake capital call notices and ransomware.

“With ransomware, what we’re hearing is it’s a dual threat,” said Joseph Quinan, Director of Client Services for the Family Office Group at BNY Mellon Wealth Management. “A family office, especially if they’re unprepared, has to deal with two crises at the same time and think to themselves 1) ‘We don’t have access to our information,’ and 2) ‘They have our information and can take action against us.’”

Oftentimes, these cybercriminals do not only cause a one-time breach to a family office. They are repeat offenders and family offices must be aware that once cyberattackers access their information, they can come after them repeatedly.

Ransomware attacks doubled from 2019 to 2020 and there were 676 breaches that included ransomware as an element of the attack, a 100% increase compared to 2019 according to Risk-Based Security’s 2020 year-end data breach report. The most common type of cybersecurity breach prevents someone from accessing their computer files, systems or networks and demands they pay a ransom for their return. Such attacks can cause costly disruptions to operations and loss of critical information and data. More severe attacks can encrypt files and folders on both local and shared drives and other networked computers. Most of the time, a person might not know their computer is infected and only discover it when it’s too late and can no longer access his or her data or see computer messages demanding ransom payments.

It is incumbent upon family members to practice good online hygiene, be it in their social media presence or their use of email to lessen their chances of falling victim to these breaches.

“It's putting the tools in place so they protect themselves as best as possible, and even then, authenticate back via another channel and validate that it’s a true transaction before any money goes out the door,” Quinan said.

Dan Adler, Managing Director, IMT Shared Services at BNY Mellon added: “Now that people are working remotely, it is important to secure the empty offices and stop hackers from going near the networks and breaking into office computers. For example, they should secure the reception area outside the office if it has a computer that is on the network.”  

Cyberattackers often target finance and accounting personnel and executive assistants at family offices due to their access to key systems and information. One example is when an attacker might impersonate a senior executive and email the finance/accounting department asking to initiate a wire transfer. Another example is an attacker might ploy a phishing scheme at an assistant in an attempt to steal valuable information about an executive at the firm or use the assistant’s email account to direct other employees to initiate a wire transfer on behalf of senior management.

In addition, since the start of the COVID-19 pandemic, there has been an uptick in cyberattacks relating to the funds flow process for investment transactions, whether a piece of art or real estate, for example. In these instances, attackers would substitute their own bank account information for an investment target just prior to closing a transaction.

Best Practices

The onus is on family offices to implement best practices to prevent themselves from being the victim of cybersecurity attacks. Some of the recommended best practices include:

  • Educate the family members and the office staff;
  • Commit resources to cybersecurity, either through hiring a dedicated IT staff or outsourcing;
  • Develop a robust incident response plan;
  • Purchase insurance; and
  • Evaluate security measures, especially if working remotely.

Educate the Family Members and Office Staff

Educating family members and staff on cybersecurity best practices is key to preventing cyberattacks.

“I think our initial conversations with them are really around education, making sure they have the right resources in place,” Quinan said. “We can’t help prevent a breach between the family member and the family office, but BNY Mellon and other financial institutions have their own cyber protections and operational practices that can help.”

After family members and staff are educated on best practices, the onus falls on family offices themselves and their entire team, from the leadership down through their staff to implement them. They need to make sure they have the right security in place, they are working with the right vendors and that the vendors they are using all have cybersecurity protections in place against the bad actors. Other best practices they should be educated on include encouraging the use of encrypted email, good passwords and dual-factor authentication.

Commit Resources to Cybersecurity

Family offices also need to invest resources in cybersecurity, whether it means hiring dedicated IT personnel or partnering with an outsourced IT provider to assist them.

“Many family offices don’t have a security professional on staff, and often they don’t even have full-time IT support,” Adler said. “We often emphasize how important it is to have a security professional on staff to follow best practices.”

There are a handful of functions a dedicated IT professional can assist family offices with from simple tasks such as keeping software up-to-date to more detailed ones such as implementing best practices around passwords, password vaults and secure communications between the family office principals and the custodian. For example, if the simple task of keeping software up-to-date is not maintained, when exposed to the internet, that opens it up to all hackers who can just go on the internet and find that software that can exploit known software holes.

Develop a Robust Incident Response Plan

It is also crucial family offices develop a well-thought-out incident response plan so everyone involved, from family members to staff, have a physical copy of the plan and know how to respond if they fall victim to an attack. It’s incumbent that whoever the designated “first responders” are to handle the attack take action immediately, including the family office’s IT expert, executive in charge, incident response coordinator and individuals who oversee media and legal inquiries.

“One of the key things is for them to act quickly and to have an incident-response plan in place that was thought out in advance because you don’t have the time to explore options under stress,” Adler said.

Other key steps in the response plan include informing the firm’s insurance carrier and custodian and filing a police report if fraudulent money is involved. In addition, those family offices that are registered investment advisers should leverage the U.S. Securities and Exchange Commission’s (SEC’s) cybersecurity guidance for additional action items.

The faster they conquer the steps in the response plan, the quicker they can resume business operations with minimal negative impact and assure investors, employees and other business relationships that the incident(s) was resolved appropriately.

“There’s really two types of family offices out there: those that have already been victimized and those that are the next target out there,” Quinan said. “And if family offices don’t take preventive measures now, they’re next in line. It’s that simple.”

Purchase Insurance

Family offices also need to make sure their existing insurance policy covers cybersecurity breaches and if not, they may want to consider buying insurance that covers the cost of responding to an attack. If they fail to follow a cybersecurity insurance policy’s protocol for notifying them of an attack that might mean that some expenses will not be covered by insurance that would normally be covered, including legal counsel or forensic IT specialist fees.

Evaluate Security Measures, Especially if Working Remotely

Finally, the COVID-19 pandemic has shined light on best practices involving security measures family offices are encouraged to implement working remotely since logging onto their work email from their home computer through Wi-Fi that might not be as secure can open doors to bad actors.

“When everyone is working from home, you’ve just extended your attack surface to people’s homes. Securing people’s homes is another whole level of complexity, and we’ve found that people don’t tend to take that step unless they’ve had a real scare,” Adler said.

Some measures include implementing two-factor authentication, which requires individuals to input two pieces of information to log into the system; backing up their IT systems; safeguarding any of their data stored in the cloud and performing due-diligence checks on potential counterparty relationships to ensure they have secure data protection systems in place.

Conclusion

Family offices that have not prioritized cybersecurity due to the cost, complexity or misconception that they would never be the victims of a data breach have begun changing their outlook, particularly in light of the remove working requirements due to the COVID-19 pandemic. As a starting point, it’s imperative to implement a number of best practices to ensure family offices have robust measures in place to prevent breaches including educating the family members and staff, hiring a dedicated IT person to manage the cybersecurity function, developing an incident response plan, buying dedicated cybersecurity insurance, implementing enhanced security measures if working remotely and more. By implementing these guidelines, family offices will be better positioned to avoid attacks and further, have the robust controls in place to continue serving future generations.

  • This material is provided for illustrative/educational purposes only. This material is not intended to constitute legal, tax, investment or financial advice. Effort has been made to ensure that the material presented herein is accurate at the time of publication. However, this material is not intended to be a full and exhaustive explanation of the law in any area or of all of the tax, investment or financial options available. The information discussed herein may not be applicable to or appropriate for every investor and should be used only after consultation with professionals who have reviewed your specific situation. The Bank of New York Mellon, DIFC Branch (the “Authorised Firm”) is communicating these materials on behalf of The Bank of New York Mellon. The Bank of New York Mellon is a wholly owned subsidiary of The Bank of New York Mellon Corporation. This material is intended for Professional Clients only and no other person should act upon it. The Authorised Firm is regulated by the Dubai Financial Services Authority and is located at Dubai International Financial Centre, The Exchange Building 5 North, Level 6, Room 601, P.O. Box 506723, Dubai, UAE. The Bank of New York Mellon is supervised and regulated by the New York State Department of Financial Services and the Federal Reserve and authorised by the Prudential Regulation Authority. The Bank of New York Mellon London Branch is subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. The Bank of New York Mellon is incorporated with limited liability in the State of New York, USA. Head Office: 240 Greenwich Street, New York, NY, 10286, USA.  In the U.K. a number of the services associated with BNY Mellon Wealth Management’s Family Office Services– International are provided through The Bank of New York Mellon, London Branch, One Canada Square, London, E14 5AL. The London Branch is registered in England and Wales with FC No. 005522 and BR000818.  Investment management services are offered through BNY Mellon Investment Management EMEA Limited, BNY Mellon Centre, One Canada Square, London E14 5AL, which is registered in England No. 1118580 and is authorised and regulated by the Financial Conduct Authority. Offshore trust and administration services are through BNY Mellon Trust Company (Cayman) Ltd. This document is issued in the U.K. by The Bank of New York Mellon. In the United States the information provided within this document is for use by professional investors. This material is a financial promotion in the UK and EMEA. This material, and the statements contained herein, are not an offer or solicitation to buy or sell any products (including financial products) or services or to participate in any particular strategy mentioned and should not be construed as such. BNY Mellon Fund Services (Ireland) Limited is regulated by the Central Bank of Ireland BNY Mellon Investment Servicing (International) Limited is regulated by the Central Bank of Ireland. Trademarks and logos belong to their respective owners. BNY Mellon Wealth Management conducts business through various operating subsidiaries of The Bank of New York Mellon Corporation.

    The information in this paper is current as of April 2021. It is based on sources believed to be reliable but its accuracy is not guaranteed. © 2021 The Bank of New York Mellon Corporation. All rights reserved.