Family Offices: Enemies Under the Bed
19 December 2017
The majority of employees are loyal and conscientious. However, armed with privileged access, strategic information and commercial data, anyone can pose a threat. Family Offices are especially vulnerable due to the high levels of autonomy often afforded to employees.
Following on from our previous article on Family Offices and cyber security, it is pertinent to discuss the threat stemming from individuals and employees. We consider the threat in four categories, mirroring the employee lifecycle:
- Infiltrators: attempting to join the organisation, to cause damage for example through investigative journalism, misrepresentation or deliberate sabotage;
- Insider Threats: within the organisation, damaging it, for example through unauthorised access to and or disclosure of confidential data;
- Bad Leavers: outside the organisation, seeking to damage it for example through theft or sabotage against money, data or systems;
- Closer to Home: how employee technology use can be a threat outside of office hours.
Transparent, low maintenance assurance for family principals that all is under control on the Employee Risk front is essential. In many Family Offices there is no HR department to police these threats, and the burden often falls onto an already overstretched CFO or even CEO. This means that measures must be fast, light touch and effective.
This must be proportionate to each hire. With the right governance in place, the main infiltration to worry about is infiltration for criminal gain rather than for the purposes of exposing bad practices. Traditional pre-employment screening, can be expensive and may not always identify the kind of reputational concerns that worry Family Offices. Instead, consider undertaking basic screening yourself and look to utilise specialist screening if required (this should include reviewing regulatory records where relevant). There are evidence backed criteria for screening potential infiltrators. Once a flag is raised, more direct questions can be asked of candidates or more in depth background checks carried out. For senior hires, in depth screening in the first instance is recommended. Ensure that even very junior staff are vetted if they will have access to any critical information (either electronically or simply being able to physical access locations where information is stored).
Family Offices need to consider the nexus between access to information and its potential to become a threat. Using criteria based on research, senior executives can decide on positions (rather than individual names) that may pose a risk. In house profiling for potential risks can be carried out relatively easily, such as assessing inappropriate social media activity.
Family Offices should also compartmentalise information so that only those with a genuine need can access sensitive information. There are technical and non-technical means to achieve this, such as a clear desk policy and being able to rapidly spot and stop information mining or misappropriation. Chinese walls should be set up if appropriate. Leadership clarification and having clear policies on expectations for use and handling of sensitive information is also vital.
Family Offices must identify whether they have the appropriate contractual, data and compensation safeguards to address their risk posed by bad leavers, or people who initially left on good terms, subsequently coming back to cause problems. These might include ensuring that arrangements are correct for incentives clawback policies, non-dealing and considering the company or jurisdiction that will provide the greatest protection when hiring and exiting employees. If employees do depart the business then you should have a plan in place to ensure the protection of private and confidential information, using legal recourse if necessary.
Closer to home
As well as ensuring that Family Offices are protected as far as possible from threats individuals and employees, Family Office employees and beneficiaries should be aware of threats closer to home. In particular, anyone with access to a device containing confidential and sensitive information should ensure that it is appropriately secured. This is particularly relevant if other family members (particularly children) have access to devices and can potentially circulate sensitive data unintentionally. This risk is increased if those devices are synced to social media accounts.
The right balance of tactics, which is different for each Family Office should ensure protection against infiltrators, enhanced security for existing employees and orderly departures when required. Most organisations will already have a range of measures in place, offering various protections against the types of threat that discussed in this piece. Often missed however is that measures are weak if they are not used together as a system. Considering when and where in the employee lifecycle your Family Office may be vulnerable and using the right tactics to build resilience, will help ensure that you can sleep easier over the threat posed by prospective, current and ex-employees.