In the second of a series of reports, our US correspondent spells out more of the discussions around cybersecurity at last week's Family Wealth Report Cybersecurity Forum in Manhattan.

When it comes to cybersecurity, family offices face a paradox, according to Matt Semino, senior client strategist for BNY Wealth: they have “significant wealth, but limited resources,” making them very vulnerable to cyberattacks and data breaches.

How family offices can best protect themselves was a major theme at the recent Cybersecurity Forum in New York City, hosted by Family Wealth Report. (To see the first article on the forum, click here.)

For starters, family offices need to recognize that in a digital environment of cloud applications and services, remote work, and employees using their personal devices for work, “the actual device is often less important than the identity of the person accessing the data, which is what must now be protected,” according to William Dixon, chief information security officer for cybersecurity service firm VioletX.

Preventative anticipation, awareness, good governance and continual evaluation and assessment of digital resources are also critical, Forum panelists agreed.

‘You have to pressure check continually’
“It all starts with awareness,” said Tristan Flannery managing partner at risk management firm Presage Global. “Who has access and what are your assets?” As software is updated, tech stacks must be “constantly evaluated,” said Ben Tercha, chief operating officer for managed services company Omega Systems. “You have to pressure check continually,” added cybersecurity consultant Matt Lamura. “If not, you’re spinning your wheels.”

Cyber activity has to be a major part of family office governance, on the same level as legal documents such as wills and trusts and estates said Byron Loflin, global head of Nasdaq’s advisory board. “The core framework of good governance is humility,” Loflin said. “You have to recognize your need and acknowledge that there are bad actors who want to steal from you.”

Employee issues
People, Loflin added, “make governance difficult,” a sentiment shared by other panelists, including Lisa Nelson, director of family office services at Wealthing VC Club. Nelson urged family offices to monitor employee satisfaction and how exiting employees were treated. Unhappy employees and a hostile work environment “could escalate to retaliation,” she warned.

Employees should be encouraged to report any internal or third-party cybersecurity weaknesses, and be rewarded for good behavior, said Karen Pocious, head of risk manager WTW’s financial services group for North America. 

Web sites employees visit should be monitored and data loss prevention tools employed, said Matthew Webster, chief executive of cybersecurity firm Cyvergence. And family offices must make clear that anything employees create digitally belongs to the firm, added Tim Schnurr, managing partner at data protection firm LeastTrust.

Preventative measures
Bring in third parties to evaluate and verify cybersecurity protocols, said Matt Loveless, head of data science and technology for data support firm Builders Vision. Training and testing processes and “internal threat exercises” were also critical, Loveless said. 

Tabletop exercises that simulate real-world cyber incidents in a safe environment to identify gaps before bad actors find them “really do help,” said Lamura. “Find out if you can survive without Addepar for an hour.”

If a family office executive or family member is kidnapped or stranded in a foreign country, firms “should be able to wipe data from personal devices remotely,” advised Dale Buckner (pictured below), CEO of security firm Global Guardian. 

Dale Buckner

New York City Police Department sergeant Greg Sanflippo, supervisor in the NYPD’s anti-terrorist and criminal Shield program, urged family offices to establish a relationship with local law enforcement in case of an emergency. “Invite the local precinct captain or community affairs coordinator to your office and get to know them before something bad happens,” Sanflippo said. “It makes a big difference.”

Insurance caution
Cyber insurance, which usually covers loss of data, not money, can be a useful cybersecurity tool, but family offices should proceed with caution, panelists said. 

Policies should be written down with a risk assessment and a plan to achieve full compliance, said William Roberts, partner and co-chair of data privacy, protection and litigation practice at Day Pitney. “Know your insurance broker and what’s covered and what’s not,” Roberts counseled. “These policies have a lot of exclusions. Do your due diligence. If the policy doesn’t work, it’s the fault of the buyer, not the seller.”

Charlotte Evans, vice president of operations for Cyberwolf, a cybersecurity firm specializing in UHNW individuals and families, also urged family offices to carefully review cyber insurance policies, especially limits on extortion coverage. “I think a lot of families are getting snowed,” she said.

Mitigating risk exposure
If family offices are hit with a ransomware attack, know who will make decisions in advance, Evans said. Above all, “understand where your risk exposure is coming from,” said Ileana Van Der Linde, executive director and head of cyber advisory for JP Morgan Asset & Wealth Management. “It’s all about making yourself a harder target,” said Justin Sellars (pictured below), vice president, private clients for digital executive protection firm 360 Privacy.

Justin Sellars