Our US correspondent attended last week's FWR Family Office Cybersecurity Forum in New York, hearing experts discuss the state of cybersecurity, new attack vectors and more positively, what can be and is being done to thwart bad actors.

Cyberattacks are becoming more frequent and sophisticated and family offices are increasingly vulnerable. But there’s also good news when it comes to cybersecurity: cyber insurance is becoming more competitive and less expensive.

Cyber criminals are able to deploy the vast amount of data that is already public on LinkedIn, Facebook, Instagram and other social media platforms, in addition to using Zoom calls as a starting point for an attack, according to speakers at the annual Family Office Cybersecurity Forum presented by Family Wealth Report and hosted by BNY.

“Everyone’s information is out there,” Mykolus Rambus, CEO of Hush, a digital protection firm, said. “It’s an open book. Cyberattacks begin with reconnaissance and criminals are looking for points of leverage.” What’s more, the reconnaissance is nearly free, detection is slow and “the cost to attack is tiny versus the cost to defend,” Scott Fogarty, CEO Ridgeback Network Defense. “And the risk of prosecution is near zero.”

To make matters worse, artificial intelligence has introduced “an entirely new attack surface” for cyber criminals, said Waren Finkel, managing director, Northeast, for Omega Systems, citing deepfake impersonation attempts and AI-generated phishing campaigns. 

Family offices “uniquely exposed”
Attackers use “target maps” to “search for the softest entry point” on personal and professional applications, Charlotte Evans, vice president of operations for Cyberwolf, said. 

The result hasn’t been good for family offices. Nearly half of family offices in the US were victims of cyberattacks last year and just 60 per cent are confident that their employees can detect and prevent AI-powered cyberattacks.

Indeed, family offices are “uniquely exposed” to cyberattacks, thanks to a culture of informal approvals, personal assistants, speed over process and a multi-generational structure, Vishal Chawla, CEO of Blue Ocean Cyber, said. 

Catching an insurance break
But family offices are catching at least one break: because the demand for cyber theft and disruption insurance is so high, more insurance companies, including Chubb, AIG and CNA Insurance are entering the market, making it more competitive and lowering prices, according to Seth Spreadbury, national family office practice leader and vice president at Marsh McLennan Agency.

“The market is expanding and more companies are getting into it,” Spreadbury said. “Insurance companies prefer you [to] pay less premiums than have to pay out a lot later. Family offices should shop around.”

“Expanded risk landscape”
Nonetheless, family offices face plenty of challenges going forward.

Artificial intelligence has “expanded the risk landscape” from cybersecurity to data privacy to “emergent risks for generative AI,” including bias, hallucinations, data poisoning and opaque decisions, Murali Nadarajah, global head of R&D and AI for Eton Solutions, said.

Family offices need “a new paradigm of detection” with an emphasis on “preemptive security,” Fogarty said. All the more so, because hackers can now stay in a system for 100 days or more, said Blue Ocean’s Chawla. 

Improvement checklist
So what should family offices do to improve cybersecurity?

--  Establish approved enterprise AI platforms, Omega Systems urged. Create formal acceptable use policies and classify what data can and cannot be shared with AI tools. Require human review for all AI-generated outputs.
--  Make sure cybersecurity vendors are subject to comprehensive due diligence and be wary of vendor overclaims such as “complete endpoint protection,” “controls all network access,” and “stops data loss,” Fogarty said.
--  Upgrade default security settings, said Josh Bartlett, senior account executive for Cyberwolf.
--  Build a culture of verification. “Cybersecurity isn’t about technology, it’s about trust, verification and resilience,” said Aruna Rawat, chief information security officer for Pure Insurance. Verify via a second channel, use code words, slow down urgent requests and run quarterly drills.
--  Have a check list that includes a written incident response plan, your bank’s direct fraud line, a pre-designated outside counsel, insurer notification protocol and a post incident communication plan, BlueOcean recommended.
--  Review your cybersecurity insurance policy, said Rawat. What it covers may not be enough.
--  Stay away from free AI accounts and don’t use personal AI accounts for work projects, said Farr Shepard, president of Decypher Technologies. And when using AI, “if you don’t want to see what your entered on the front page of a newspaper, don’t put it in AI,” warned Annette Garcia-Acosta,  Decypher’s director of communications.
--  Don’t use passwords for security access. “They don’t work,” said Gary Belvin, chief information security officer for GDB Security. Use apps like passkeys, Touch ID or Windows Hello for Business instead.
--  Make sure there is always human oversight. Around 60 per cent of family office cyberattacks are caused by human error, according to BlackCloak. “The problem with cybersecurity is not technology,” said Spreadbury. “It’s people using technology.”