A conference hosted by this news service focused minds on why family offices cannot afford any complacency about cyber-security threats, and set out steps on how to observe good "digital hygiene".

Family offices may be thought of by their founders as discreet, below-the-radar organizations unlikely to grab the evil attentions of computer hackers. But such thinking is a foolish mistake, given the financial sums at stake in the event of a breach.

There are about 4,500 US family offices and 10,000 family offices around the world, in total overseeing about $15 trillion in assets under management and a significant number are likely to have been hit by cyber-attackers. A danger is that family offices, by their nature, might be places where staff/family members take a less formal approach to their IT and communications than is the case with a bank. Again, such thinking is dangerously mistaken, a conference hosted on September 20 by Family Wealth Report heard.

The person making these points was Edward Marshall, who is director of the global family office group at Citi Private Bank. He spoke at the Family Office Cyber-Security Summit, held at the offices of Kobre & Kim, the law firm, in Third Avenue, NYC.

Speakers at the conference were John F. Curran, partner, Walden Macht & Haran; Benedetto Demonte, managing director, Cybersecurity and Investigations North America, Kroll Associates, Inc.; Annmarie Giblin, senior counsel – Cyber Liability, at Chubb Insurance; James Hunt, managing partner at Lavrock Ventures; Edward Marshall, director, Global Family Office Group, Citi Private Bank, Jake Norwood, director, Cyber Intelligence Center, Citi; Steven Perlstein, partner, Kobre & Kim; Theresa Pratt, chief information security officer, Market Street Trust; and John Ritchie, CEO, GDI Risk Advisory Group LLC.

The event was held within days of revelations that Equifax, the consumer credit reporting agency, had been breached, with 143 million individuals affected (its CEO has subsequently resigned). Banks, logistics firms, the UK’s healthcare system, German railroads, even the US Internal Revenue Service, have been hacked. Reports of such incidents are almost daily news events around the world.

"Perpetrator’s of cyber attacks now come in many forms ranging from criminal gangs to state-sponsored groups. While they may look different and have different motives, they
have learned to take time to penetrate a computer system, bide their time to amass information, and can extract data without victims knowing for some time,” Marshall told delegates. Marshall and Citi Private Bank advise some of the largest family offices globally on a number of matters, one of which is increasingly sybersecurity. He set out the landscape of cyber-security as covering three broad areas: people, processes, and technology.

Marshall spoke about a number of vulnerabilities, including how use of social media, such as Facebook and LinkedIn, for example, can leave family offices susceptible to cyber-attacks. Another problem is that even if a person is careful about their social media habits, their children may not be, creating another problem.

While banks and other financial organizations will normally be highly competitive with one another, they have a common interest in cultivating good cyber-hygiene, he said.

Another arresting statistic Marshall gave was that in 2016, some $3 billion was lost, touching 22,000 victims, as a result of hacks on business emails.

Law and liabilities
Chubb’s Giblin spoke on the theme of “Cyber-Risks and the Legal Landscape”, setting out the raft of criminal and civil law issues arising in the cyber-security landscape. In particular, she listed a dauntingly-long number of legislative acts – not just in the US – that affect industry practitioners. Among the important take-home points was her describing the need to understand the difference between a cyber-security “incident” and a “breach” .(The important difference being the confirmed compromise of sensitive information in a breach.)

Threats come from different sources: some can be rogue present and former staff. In fact, about a quarter of threats in firms are internal, she said. Such a point should not be lost on family offices, Giblin continued. And she noted that while many family offices aren’t registered with the SEC, some 48 states of the Union require the persons whose information was compromised in a data breach to be notified as well as the local government, with failure to do so properly resulting in fines and other penalties, she said. Rules also, to give another example, place the onus on financial firms to ensure proper cybersecurity protections are being utilized by vendors when outsourcing certain functions. With so many family offices outsourcing tasks to contain costs and obtain expertise, this is a significant issue, she said.

Having a robust, well-tested incident response process in place, including ability to obtain rapid legal protection, coupled with insurance cover, is important in reducing the pain of a cyber-attack as much as possible. In this context the proper insurance partner can provide considerable guidance and resources to help mitigate and prepare for this growing threat.

Giblin went through a list of the terms with which the industry needs to become more familiar, such as “phishing”, which is a digital form of social engineering to deceive individuals into providing sensitive information, or “website spoofing”, a term describing the creation of a replica of a trusted site with the intention of misleading visitors to a phishing site.

Panel discussion
Under the title of Suits and Sanctions; Culpability and Cybercrime, Kobre & Kim’s Perlstein and Walden Macht & Haran’s Curran talked about the legal and litigation challenges of the cyber-security world. Perlstein, for example, went through the range of restraining orders and injunctions that can be used in the case, say, of former employees trying to take data from a firm. Most injunctions are negative but some are “positive”, he said. Following on from some of the insights of earlier discussions at the conference, Perlstein said a firm’s chances of winning a case will increase if it shows it had robust procedures and practices in place.

Curran gave a list of significant attacks on a range of banks from around the world, and went into some of the legal details associated with these attacks, the remedies sought, and the continuing issues these cases gave rise to.

In a talk by Kroll’s Demonte, under the title of “Getting Forensic: Breach Prevention, Detection and Investigation”, the audience was shown the various stages of how a cyber-attack breach can be initially identified as such, how investigators work to figure out the scale of a problem and how they find clues about the perpetrators.

His presentation gave a jaw-dropping set of statistic about the scale of the breaches that have taken place recently. For example, 500 million accounts were recently compromised at Yahoo; and 4.8 million persons’ details were obtained at the America’s Job Link Alliance. Of all breaches, perhaps unsurprisingly, 73 per cent of them were motivated by money; 98 per cent of compromises take place in “minutes or less”; and there is malware in one out of 131 emails, which means that during an average day for a moderately busy person, it is likely several emails received could carry a threat, he said.

Besides external threats by criminals, causes of breaches can be as simple and as annoying as mistakes; disgruntled former employees/contractors can pose a risk, as can third-party organizations working with a company. Another cause is theft of a mobile device – there are techniques that allow users to remotely wipe a device (without losing information on a backup) to deal with this sort of issue, he said.

Presentation
Lavrock Ventures’ Hunt explained what his $50 million fund does and invests in; he explained that he invests in “niche” technologies designed to give organizations – such as the US government – tools to not just defend against hackers, but take the fight to them as well. There is not just “defensive cyber” but “offensive cyber” as well, he said. There are moves, for example, to harness machine learning in order to help fight hackers. Some specialist firms are launching simulated attacks to find potential weak spots, much as war-gamers practice in the military sense in the same way and for the same reason, he said.

Offensive cyber-security is a controversial area, he said, but there are moves to define its proper limits – in the US, Congressman Tom Graves (R, GA) has proposed what has been called the “Hack Back” bill, a measure designed to allow entities to destroy data on hackers’ systems. (Such legislation would modify the Computer Fraud and Abuse Act.)

Panel discussion
In the final event of the conference there was a panel discussion featuring   Theresa Pratt of Market Street Trust, Jacob Norwood of Citi; John Ritchie of GDI Risk Advisory Group LLC, and moderated by Chubb’s Giblin. The panellists addressed the theme of Cybersecurity Realities for the Family Office: Threats, Mitigation and Security. Among the discussion points was that of Pratt, who argued that if there are three broad categories of data, ranging from essential (red), to important but not life-threatening (orange) and not important (green), that it might be wise to avoid putting the “red” category data on internet-linked computers at all.

Pratt also reminded the audience of her first message for anyone concerned about cyber-security: “Patch, patch, patch” – always ensure the latest computer updates and protections in software are installed. And secondly, she said, was the message to “train, train and train” – to ensure staff can understand how to use IT safely and be kept alive to good internet/computer habits and hygiene.

Other panellists, such as Ritchie, reminded delegates of the need to be wary in opening emails and being alive to potential tell-tales that all is not well, even by using the example of an email that doesn’t carry a phone number. And Citi’s Norwood talked about the benefit, for example, of people only using a work-based computer for work and not for private/non-work purposes, including emails. And users should make use of Virtual Private Networks, aka VPNs.

Norwood added that even communications such as the “Dropbox” function for transmitting photographs can be vulnerable; asked about such issues, he agreed that if it is not necessary to receive a photo straight away, putting such data onto a disk and delivering it the old-fashioned way was a good idea.

(For a list of the speakers and other details about this event, see here. For forthcoming events as well as an archive of previous conferences, see here.)