The global cybersecurity landscape is under greater threat than ever before from cybercriminals. Phishing is the most common form of cybercrime, with an estimated 3.4 billion spam emails sent every day. The use of stolen credentials is the most common cause of cyber incidents.

Cybercriminals may even compromise the email or network of a trusted third party, to issue an invoice, change account details, or siphon funds. These threats highlight the need for strong cybersecurity awareness for all those within the family office to prevent such occurrences. Family offices can immediately adopt several measures to help protect themselves and their online data. 

The following are some of the most common types of cybersecurity threats and insights into what family offices can do to successfully secure information. Crafting an attack using deception falls under the category of “social engineering”:  it is the entry point in more than 95 percent of cybersecurity incidents and is by far the biggest cybersecurity threat that family offices need to be prepared for. 

Most Common Cybersecurity Breaches Amongst Family Offices

Business Email Compromise 

Business Email Compromise (BEC) is a persistent scam aimed at defrauding individuals and organizations. BEC begins when an attacker compromises a legitimate corporate email account (often an executive account, such as a CEO), usually through a phishing email, and lurks inside, observing how payments are made. The attacker then uses this account to send fraudulent emails to request unauthorized fund transfers and divert funds to the attacker’s own account. The scam is highly deceptive and damaging, with huge financial and reputational repercussions. The FBI estimates BEC scams have resulted in $43 billion in losses since 2016.¹ Following established authorization procedures to verify and authenticate requests outside email--for example, by phone, in person or through video call -- combined with strict controls and checks in place for making transfers is imperative.

Credential Theft

Credential theft is the goal of many phishing attempts. An email recipient is encouraged to visit a legitimate-looking login page in the hope they will input their details (usernames and passwords), the login page may look authentic, but the website address is spoofed to lure the victim to a fake website, where they will ultimately seek control of the victim’s details. Stolen credentials are often used to gain access to accounts. It’s good practice to visit the site haveibeenpwned.com and enter your email address to see if any accounts have been compromised. Any passwords that have been found should be immediately changed on the affected account.

Vishing

Often as a prelude to a phishing attack, vishing (short for “voice phishing”) attacks are unsolicited phone calls from fraudsters, recruiters, and competitors claiming to be representatives of a reputable company requesting personal and/or confidential information. Callers may try to manipulate you using tactics such as empathy, urgency, or threatening language to elicit information. Just as you would with any stranger, you should never give information about you or someone else to a caller you do not know.

With any of the above social engineering tactics, unfortunately once the attacker gains the information, they need to commit fraud or access to the network, they could cause a huge amount of damage. They could fraudulently make wire transfers, capital call notices, or they could hold the office to ransom and demand a high payment in return for access to its own files, or even threaten to damage the family’s reputation.

One of the biggest draws for cybercriminals is access to data and access to funds, and family offices are prime targets. Cybercriminals may seek out offices with lax security and aim to identify which internal and external parties they could leverage, to open doors for them. Everyone with legitimate access to the office network is part of the solution, to protect these family offices from criminal advances. 

Cyber-attackers favor targeting those with the authority to make immediate transfers, which could include family members, finance and accounting personnel and executive assistants at family offices. However, they will look for any vulnerabilities, any information they can scrape online to build a bespoke approach that will give them inside access.

There has been an uptick in cyberattacks relating to the funds flow process for investment transactions, whether a piece of art or real estate, for example. In these instances, attackers substitute their own bank account information for an investment target just prior to closing a transaction.

To help prevent cybercriminals stealing funds, family offices should implement a system with a series of robust checks and authentication measures to validate true transactions and any changes to account details before any money goes out the door. 

Best Practices

In order to help prevent becoming the victim of cybersecurity attacks, here are some recommended best practices:

• Educate family members and the office staff on social engineering threats and tips for protecting information

• Commit resources to cybersecurity, either through hiring a dedicated IT staff or outsourcing

• Develop a robust incident response plan

• Purchase cybersecurity insurance

• Evaluate security measures.

Educate the Family Members and Office Staff

Get all family members and staff on board with cybersecurity threats and best practices to prevent a successful cyberattack.

Strong cyber safety awareness is vital across family offices, from the leadership down through all members of the team. This includes many of the steps below, but as a starting point office-related activities should only be conducted on protected devices and accounts. This also means no use of personal email accounts, which may be more easily compromised or infiltrated. Performing risk assessments, in combination with putting cybersecurity protections in place, can lessen the risk of a successful cyberattack. 

In recent years, the National Institute of Standards and Technology revised its guidance to recommend that passwords be replaced by passphrases.² A passphrase is a password composed of a sentence or combination of words. Passphrases are longer than the average password, making them harder to crack and increasing the overall security of a user’s account. The most important characteristic of a passphrase is length (15 characters or more). A passphrase should include uppercase letters, lower case letters, digits, and preferably at least one special character. No part of it should be derivable from personal information about the user or his/her family. And of course, a unique passphrase for each account is vital. Recycling of passphrases between accounts is much too risky and may open the "vault" to cybercriminals.

Ensure access to the network is further secured by using multi-factor authentication. To access the system, each person will then use their login details, unique passphrase, and another form of security, for example a hard or soft token which produces a series of numbers that change frequently. 

Anyone keen to avoid identity theft or compromise should consider all information available online about the family and its operations. Exert great caution with information shared online, and particularly social media, as even a personal account with restricted views could be compromised and details misused by cybercriminals. Multifactor authentication should be implemented across all social networking accounts.

Commit Resources to Cybersecurity

Technology continues to evolve, and new threats constantly emerge as bad actors become more sophisticated. Family offices should consider investing resources in cybersecurity, whether it means hiring dedicated IT personnel or partnering with an outsourced IT provider to assist them.  

A dedicated expert will be able to guide you on recommended cloud storage plans, helping to ensure that your data is backed up and can be restored. This means that in the event of a flood, fire, physical damage, or theft, you can still access your saved files and data and may mitigate the impact of a ransomware attack. 

With the right expertise, an in-house consultant or full-time member of the team can assist family offices with keeping software up to date and securing communications between the family office principals and the custodian. For example, failing to keep software up to date opens the door to bad actors with access to tools that can exploit known software loopholes.

Develop a Robust Incident Response Plan

Imagine what could happen if the network as well as all emails, files, and systems you use are accessed by cybercriminals. It’s crucial that family offices develop a well-thought-out incident response plan so everyone involved, from family members to staff, have a copy of the plan and know how to respond if they fall victim to an attack.

It’s incumbent on the designated “first responders” to act immediately to contain the attack, including the family office’s IT expert, executive in charge, incident response coordinator, and individuals who oversee media and legal inquiries. It’s critical to regularly review the response plan and ensure all staff understand how to respond quickly.

Other steps in a response plan include: 

• Inform the firm’s insurance carrier and custodian of an incident.

• Determine whether or not to engage law enforcement. 

• Contact a lawyer who specializes in cyber incident response to assist with the investigation, as there can be litigation matters stemming from the incident. The lawyer will help ensure the office is meeting the legal/regulatory guidance and help manage any notification obligations.

In addition, family offices that are registered investment advisers should leverage the U.S. Securities and Exchange Commission’s (SEC’s) cybersecurity guidance³  for additional action items. 

Purchase Insurance

Family offices should also confirm if their existing insurance policy covers cybersecurity breaches, and if not, they may want to consider buying insurance that covers the cost of responding to an attack. Ensure that you understand the policy requirements, including when you should notify your insurance provider following a security incident and what is considered a covered expense. 

Evaluate Security Measures, Especially if Working Remotely

Even as many workers return to office in the wake of the COVID-19 pandemic, working remotely may still be the norm for others. Putting security measures on home devices and networks is essential. Staff logging into work email from their home computer through Wi-Fi can unwittingly open doors to bad actors.

Some of these measures may include: 

• Changing the default password on a home router

• Implementing two-factor authentication, which requires individuals to input two pieces of information to log into the system

• Using a virtual private network (VPN) on unsecured or public WiFi

• Backing up their IT systems

• Safeguarding data stored in the cloud 

• Performing due-diligence checks on potential counterparty relationships to ensure they have secure data protection systems in place

Conclusion

At BNY Mellon we take great pride in working closely with family office teams. We understand cybersecurity can appear costly and complex, and it’s difficult to ascertain the level of risk at any point. With unsurmountable evidence of the current level of threat from bad actors, we strongly advocate the highest level of provision for cybersecurity. Starting the process is key, making sure robust measures are in place to help prevent intrusion, through to educational sessions on the risks and red flags. With the support of a dedicated IT person, navigating the cybersecurity threat landscape will be easier for everyone, combined with developing an incident response plan and the possible value of purchasing cybersecurity insurance.

By implementing these guidelines, family offices will be better positioned to avoid attacks and further develop robust controls so they can continue to successfully serve future generations.

Footnotes

[1] https://www.ic3.gov/Media/Y2022/PSA220504

[2] https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd

[3] https://www.federalregister.gov/documents/2023/03/21/2023-05766/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business