This news service talks to EY about how it sees family offices grappling with cybersecurity threats and concerns.

When the Biden administration unveiled its national cybersecurity strategy in March, whatever else one can say about government moves on this front, it certainly reminded wealth managers how important security is. 

There was a 38 per cent jump in global cybersecurity attacks in 2022, compared with 2021, according to Check Point Research. As people pivoted to working from home during the pandemic, and continued with more “hybrid” work patterns afterwards, the risks rose. This was not confined to business, because academics were increasingly communicating with their students over the internet instead of in classrooms.

Family offices don’t usually get much attention from the mainstream press, but criminals know that collectively these organizations pack a financial punch. There are about 18,000 families around the world worth $250 million or more and, depending on some measures, as many as 10,000 single family offices. But many of these organizations weren’t launched by technically savvy people, and they’ve had to learn that criminals and other bad actors pose a threat. Besides ransomware attacks, family offices are often headed by famous people and can attract malicious attacks.

“There’s increasing awareness of cybersecurity,” Dave Burg, who heads the Americas cybersecurity effort at EY, told Family Wealth Report in a recent call. And the sources of trouble multiply because of the plethora of devices that are now a part of daily life, such as sensors, the internet of things, surveillance cameras and various security systems, he said. 

Besides a long-standing concern about “ransomware” attacks, the uses of tech to spy on people, Burg said there are third-party risks. For example, family offices need to understand what happens when a business outsources services. “It is a very big deal for banks,” he said. “Most family offices don’t carry out due diligence as a bank does of third parties. They need to apply best practices.”

Another area of concern is that running a modern family office today, including tasks such as bill payment, audit, accounting, reporting, portfolio management and other tasks requires a lot of data. And the more data that comes into play, the more vulnerabilities there can be. 

In June last year, EY said in a report that out of more than 250 single-family offices in 12 countries almost three-quarters of them suffered a breach caused by cyber-attackers. However, 72 per cent didn’t have an incident plan to handle the risks and 61 per cent didn’t have processes to spot breaches. Family offices are vulnerable to attack because they were founded by private individuals who often hired lawyers, accountants or even friends to set their structures up [which makes them more visible on internet searches]. Principals of SFOs can also be shy about spending large sums on technology and systems (as discussed here), although cyber attacks and the pandemic may have accelerated the willingness to act. 

The cybersecurity point is part of a wider risk management agenda that family offices need to plug into.

More data, more attack points
“There are lots of different places where there is data,” Bobby Stover, EY Americas Family Enterprise and Family Office Leader, told FWR in the same call. 

On average, about 25 vendors track family offices, he said. “There are lots of different places where there is data.”

Stover said that an important part of his role is in educating principals and improving the low awareness about cybersecurity and the ramifications of security in general. At EY, the firm carries out simulations to test how well, or not, family offices deal with cyber threats and how to recover and be prepared, he said. 

Stover’s colleague hopes that in the next few years, family offices will become more professional at handling cyber risks and other threats. 

“I would hope we would see in five years growth of better, and more holistic solutions for family offices to handle these things for them. It has to be simplified and standardized,” Burg said. “This allows family office members to do what they enjoy doing because there is a professional service handling it [cybersecurity] for them.”

In March, a report fromTenable, a US-based “exposure management” company helping businesses with cybersecurity, found that the most commonly exploited vulnerabilities were up to five years old. The firm issued its annual 2022 Threat Landscape Report. The findings are based on the Tenable Research team’s analysis of cybersecurity events, vulnerabilities, and trends throughout last year. It analyzed 1,335 data breach incidents publicly disclosed between November 2021 and October 2022.

Of the events analyzed, more than 2.29 billion records were exposed, which accounted for 257 terabytes of data. More than 3 per cent of all data breaches identified were caused by unsecured databases, accounting for leaks of over 800 million records. The study found that ransomware remained the most common attack method used in successful breaches.