Threats from "insiders" can often be as serious, if not more so, than when they come from outside an organization such as a bank or family office. Panelists at last week's cybersecurity forum for family offices, hosted by this news service, got into the weeds of the topic.

In other summary and overview of a panel discussion about threats that family offices face – held at Family Wealth Report’s Family Office Cybersecurity Forum in Mahattan – the speakers discuss “insider threats.” More on the panelists below the article.
 

(Photo below, from left to right: Lisa Nelson, Matthew Webster, Karen Pocious and Tim Schnurr (moderator)).

Last week's panel on insider threats brought together industry experts to address one of the most pressing security challenges facing modern organizations: malicious insider threats. Unlike negligent behaviors such as clicking phishing links or falling victim to social engineering, this discussion focused specifically on deliberate actions by employees who misappropriate data assets when transitioning to new roles. Schnurr is a legal expert specializing in intellectual property protection; Nelson is a risk management consultant focused on data governance; Pocious is a compliance and governance specialist; and Webster is a chief information security officer.

Their collective insights provide a roadmap for organizations seeking to build comprehensive insider threat programs that balance security with operational efficiency.

Tim Schnurr’s legal framework perspective
Schnurr emphasized the critical importance of establishing robust legal foundations for insider threat protection, drawing from recent high-profile cases such as the Deel versus Rippling litigation. His approach centers on creating multiple layers of legal protection that enable organizations to pursue remedies across various jurisdictions.

Key elements include clearly defining trade secrets, implementing reasonable protection measures, and ensuring comprehensive intellectual property contracts with work-for-hire provisions. He said effective programs require structured training documentation and systematic exit checklists that create legal accountability. Organizations must mandate employee disclosure requirements, ensuring new hires cannot bring trade secrets from previous employers while establishing clear protocols for handling potential conflicts of interest. Perhaps most importantly, Schnurr said that even without sophisticated detection tools, visible legal frameworks create significant preventive effects, as potential bad actors are deterred by the prospect of facing consequences across multiple legal venues.

Lisa Nelson’s data governance, risk management approach
Nelson positioned data governance guardrails as crucial to preventing insider threats, advocating for systematic approaches that embed security into daily operations rather than treating it as an afterthought. She recommended integrating compliance expectations directly into employment contracts and performance evaluations, requiring employees to provide specific examples of how they adhered to cybersecurity protocols during year-end review processes. She emphasized the importance of documenting how employees handle pressure to deviate from established policies, creating both accountability and learning opportunities. For family offices, Lisa offered a clear takeaway: Data governance must scale beyond individuals to become part of institutional memory. This is especially critical when assessing or managing portfolio companies. 

Governance maturity, including how founders handle sensitive data, communicate exits, and respond to pressure, should be part of extended due diligence and are central to the investment thesis. Nelson said proactive, transparent governance not only mitigates risk but signals operational readiness and leadership integrity, which are key drivers of long-term value. Her approach fosters sustainable compliance cultures that protect sensitive information without stifling agility, making it a model for both in-house operations and portfolio oversight.

Karen Pocious’s culture and leadership development strategy
Pocious focused on the foundational role of leadership commitment and organizational culture in creating effective insider threat programs. She argued that sustainable compliance requires genuine leadership advocacy rather than superficial policy implementation, emphasizing that leaders must actively model ethical behavior while integrating compliance into core business strategy and objectives (i.e. “tone at the top”). Her framework requires leadership to provide adequate support for compliance functions, demonstrating organizational commitment through resource allocation rather than mere policy statements.

She extended this philosophy to family offices, noting that family members must support organizational compliance by following security protocols, including using firm-approved email accounts, communication portals, and VPN requirements. Pocious called for clear, acceptable use policies that are regularly updated to reflect changing technology and external threats, emphasizing transparency and accessibility as crucial elements for fostering cultures where compliance is understood and valued.

Her approach includes comprehensive training programs using interactive scenarios and case studies, combined with open communication channels that encourage employees to report concerns without fear of retaliation.

Matthew Webster’s technical controls, detection capabilities
Webster brought CISO perspective that extended well beyond technical controls, emphasizing the cultural, behavioral, and leadership dimensions of cybersecurity. 

Rather than relying solely on tools, Webster focused on creating a risk-aware environment where employee behavior is shaped through thoughtful incentives, workflow feedback, targeted training, and a culture of accountability. 

Webster said aligning cybersecurity efforts with business priorities is essential – security cannot be effective if it operates in isolation. By embedding risk-based thinking into everyday decisions, Matt helps organizations focus on what matters most, avoiding both over engineering and blind spots. He advocated for tying incentives to outcomes that reduce risk, while also encouraging employees to identify process gaps or third-party exposures. While using technologies securely, behavioral baselining plays a role, Webster said that true resilience stems from empowering people, simplifying compliance, and ensuring that security supports – rather than slows – the mission. For Webster, cybersecurity is ultimately a business function, and leadership must treat it as such.

Family office takeaways and implementation strategy
Family offices face unique insider threat challenges given their handling of highly sensitive financial information, personal family data, and often limited cybersecurity resources compared with larger institutions. The panel's insights provide a practical framework for family offices to develop proportionate insider threat programs that protect family privacy and wealth while maintaining operational efficiency. 

The legal framework elements are particularly crucial for family offices, which often handle multi-jurisdictional assets and require protection across various legal systems. Schnurr’s emphasis on trade secret protection and clear contractual obligations provides essential foundations for family offices managing investment strategies, family business information, IP rights, and personal financial data.

Nelson’s data governance guardrails offer family offices a systematic approach to protecting sensitive information while enabling necessary business operations. Her focus on positive behavioral nudging through performance integration and training documentation creates sustainable compliance cultures that extend beyond individual employees to organizational knowledge and their portfolio companies. Pocious’s leadership commitment framework is especially relevant for family offices where family members often serve in governance roles and must model appropriate security behaviors for staff.

Webster’s technical controls provide family offices with scalable approaches that can grow with organizational needs while maintaining cost-effectiveness. The integration of incentive alignment with compliance performance provides family offices with practical tools for encouraging appropriate behavior among staff who often have access to highly sensitive family and financial information.

The panel's collective wisdom suggests that family offices should implement graduated approaches, starting with essential legal frameworks and basic policies before advancing to comprehensive technical controls and cultural integration. The key insight for family offices is that effective insider threat protection requires treating security as an organizational capability rather than a compliance burden, creating environments where protecting family interests becomes part of institutional DNA rather than external obligation (NDA). Success depends on family leadership commitment, systematic implementation of controls, and continuous adaptation to evolving threats while maintaining the personal service and flexibility that characterize effective family office operations.

The panel members:

Lisa Nelson is a board advisor, strategic operator, and investor with deep expertise in scaling high-growth companies, strengthening governance, and navigating regulated markets. She is currently a member, investor and director of Family Office Services at Wealthing VC Club.

Karen Pocious leads the WTW’s Financial Services Industry Group for North America. She advises firms on a broad range of strategic, human capital and operational issues, including: target operating model design, governance, performance and cost management, risk and compliance management, strategic workforce planning, and incentive program design and implementation. Before WTW, Karen worked at Deloitte and AON on human capital optimization.

Matthew Webster is a cybersecurity leader with a career that began in 1997 at a university computer center and quickly advanced to the federal level. Today, he leads Cyvergence, a cybersecurity advisory firm helping companies navigate complex risks with practical, business-focused solutions. His mission: to make cybersecurity a smarter, more strategic part of every organization.

Tim Schnurr is a managing partner at LeastTrust. LeastTrust advises mid-sized companies on insider threat defense and proprietary data protection. Previously, he co-founded a cybersecurity SaaS product focused on DLP and data access management. Earlier in his career he was an IP and cybersecurity strategist at Deloitte and ICAP Ocean Tomo.