Protecting Success – How To Prepare Your Family Office For The Next Cyber Attack

20 Jun 2022

Our Cyber experts share their thoughts on preparing for a cyber attack with the Global Family Office Community Journal.

Cyber-attacks usually start with some form of reconnaissance activity. Often, this involves gathering publicly available information – some of which you may have shared yourself – which, when analysed, allows a cyber attacker to gain critical data or access to systems.

In the case of one particular family office, online reconnaissance and social media monitoring was the entry point for a cyber-attack. This surveillance was performed in order to gather personal information on individuals, background details of business activities and to ascertain the format for the family office’s email address. The cyber attacker then used this freely available information to carefully craft a spoofed email attack to the CFO, purporting to come directly from the CEO, requesting a bank transfer. This specific type of phishing attack cost the family office deeply, both financially and reputationally. Could they have limited the extent to which the cyber-attack damaged them? Yes – but unfortunately, they did not have any incident management plans in place and so were left to navigate the murky waters of a cyber incident without direction; learning as they went along.

The real-world impact of cyber-attacks on family offices can be far reaching. Cyber security shouldn’t just be thought of as a technical endeavour solely reserved for IT professionals or security suppliers – it’s something that everyone in your family and family office needs to play a part in. Today, cyber incidents happen all the time: it has always been a question of when rather than if you are likely to become a victim. In fact, you may not even know you’ve been a victim until it’s too late. Often, breaches aren’t always identified until the data exfiltrated is up for sale or the exposed sensitive information appears online, by which time the reputational damage is already done.

The upward trend in cyber-attacks against business and organisations of all shapes and sizes has been increasing year-on-year globally. The family office environment is starting to realise the greater risks associated with improper cyber security implementations and the impact these have financially and reputationally to a family office business. It is encouraging to learn that nearly 60% of 78 global family offices surveyed said cybersecurity topped the list of late-night worries – proving that it is at least on the agenda of the majority. However, 96% of respondents admitted to having experienced at least one cyber-attack, according to the 2020 Family Office Benchmarking Survey by Northern Trust, a Chicago-based wealth management firm, this shows that cyber incident planning is crucial. A plan is only good if it is ‘match fit’ to be executed over a range of differing situations and to work during a full-blown crisis.

Much more focus and emphasis should be placed on creating a positive cyber security impact within family offices. Rather than having cyber security planning being a one-off tick box exercise, there is an opportunity to drive work forward by being able to demonstrate confidence in incident planning and show that these plans actually work in practice and are being kept updated. It only takes a few simple but effective steps to achieve this.

1.           Treat cyber security plans as living, changing strategies

2.           Prove to yourselves that you and your team have the ability to work through cyber events

3.           Share your experience to strengthen your business security position

Treating cyber security plans as living documents will help build a culture of awareness, signposting how to react during a crisis incident and engendering an appreciation of the evolving threat landscape. Cyber security doesn’t stand still, and neither should your plans. Reviewing the processes and procedures for managing an incident at least annually will help ensure they are still fit for purpose: personnel and business changes also need to be taken into account when reviewing your incident plans. The key question to answer is whether or not the theory of the plan fits the reality of what needs to happen when these plans are invoked. Going through a regular review process will greatly improve the way in which ‘firefighting’ is conducted during a live incident.

An organisation’s reputation is based on its integrity and trustworthiness to conduct operations and business. Cyber security should be part of your Governance (the ‘G’ in ‘ESG’).  A key differentiator will be your ability to swiftly and diligently handle a whole range of cyber security incidents effectively. These may well be events that only occasionally pop up, but which can have a great impact. Crisis and incident teams therefore need to be comfortable running through the process rather than coming to it cold or after a lengthy period of no incident activity. Having at minimum twice yearly table-top or crisis simulation exercises to rehearse a scenario is the best way of validating the core incident team’s ability to follow the process. It also offers the opportunity for the key people in an organisation to make sure they understand the incident management flow and how to work effectively with each other. At the same time, it can be used to highlight areas for improvement in wider business processes and incident plans.

Reputationally, coming out of an incident relatively unscathed may not always be possible – there will always be some form of damage or impact. How this is managed and the degree to which the impact is felt, however, can be lessened. Malicious cyber-attackers regularly share vulnerability information and hacking techniques on underground community forums. However, organisations, including global family offices, generally tend not to share non-publicly disclosed incident data. Being able to draw on experiences of incidents within a trusted community can have a positive impact on building defences, reacting to and planning for incidents by taking into account the ever-changing cyber security threat landscape.  You don’t necessarily need to give away sensitive information, but alerting peers to how you are perceiving and dealing with threats through planning has a wider community benefit and could ensure that the impact of a cyber-attack – and the reputational fallout that comes with it – is less severe.

This article was first published in the Global Family Office Community Journal.