Cybersecurity for Family Offices: Q&A with the director of the Global Family Office Group at Citi Private Bank

Last month Citi Private Bank released a white paper focused on the growing cybersecurity threat and its relevance to Family Offices. The white paper surveyed information security experts in and outside of Citi to provide a comprehensive guide on a topic of high interest to Family Offices. The full white paper can be accessed on the Citi Private Bank website here. 

The author of the report, Edward Marshall, director, Global Family Office Group at Citi Private Bank, said, “As seen in recent news, the number of cyberattacks perpetrated against nations, corporations and individuals are increasing at a rapid pace. One of the most pressing issues our clients face now is cybersecurity as Family Offices have more and more become targets of cyberattacks. We hope this white paper will impart actionable best practices and identify available resources in the cybersecurity space.” 

I asked Edward to shed some light on a segment of the market (Family Offices) that many do not have much visibility into.

Are you aware of any Family Offices hiring their own chief risk officer (CRO) or chief information security officer (CISO) yet?

While the corporations that often create the wealth for a family are well-equipped with information technology staff and updated technology, the Family Office is often deprived of the same treatment because they typically operate as separate corporate entities in locations convenient for the principal and/or access to capital markets Despite these resource constraints, Family Offices are starting to realize the importance of building an information security program that is flexible and can incorporate lessons learned and adapt to new cyber threats.

There is a growing cottage industry of security professionals and organizations springing up that cater to Family Office security and specifically cybersecurity issues. Family Offices are starting to look to how the largest public companies aim to protect their digital crown jewels from hackers. We have seen many Family Offices hire external professionals to provide an initial diagnostic of risks and then depending on complexity, FOs will retain those professionals to provide regular checkups. We witnessed further indications of the increased attention to cyber during our annual Family Office Leadership Program (FOLP) last month in Armonk, NY. FOLP is a three-day executive education program designed for C-level Family Office executives that features panel discussions on trends in Family Office management presented by Family Office practitioners and leading industry advisors. This year’s leadership program included a panel on cybersecurity for Family Offices. The cybersecurity panel was so well received by attendees at the Armonk leadership program that we plan to offer a dedicated cybersecurity panel at our upcoming Asian Family Office Leadership Program in October 2017 that will take place in Hong Kong.

For the moment, an in-house Family Office CISO position exists only for the largest Family Offices in North America.  However, as the complexity of Family Office’s mandate increases, we are likely to see increased use of consultants and internal CROs and CISOs.

Would you say Family Offices view the cyber threat as an IT issue (a network to defend), or do they see it as more comprehensive in defending enterprise value?

Family Offices manage tremendous amounts of wealth, representing 8% of the global ultra-high net worth population but nearly 50% of global ultra-high net worth wealth. In North America alone, there are an estimated 4,500-plus Family Offices. Complex and dedicated efforts to ensure cybersecurity are often given insufficient attention within a Family Office unless a serious breach has occurred in the past with the family. A recent report by Campden Wealth indicated that 15% of Family Offices surveyed were victims of a cyberattack with losses generally of $50,000 or less, with one incident that cost a family more than $10 million. Don’t let the lower dollar value of losses fool you into a sense of security. Hackers use these lower numbers as demands so that people will choose payment to get a quick fix versus trying to fix a problem. Hackers are often impatient and often prefer smaller “sure thing” targets versus drawing unwanted additional attention (e.g., the FBI) through very large demands.

Why would the bad guys attack Family Offices, and what assets are Family Offices most worried about protecting?

Many Family Offices have the “wealth” commensurate with small and medium enterprises but typically don’t put in place the same levels of security, making them lucrative targets for hackers. Unfortunately, the idea that only corporations and governments are at risk from cyberattacks is prevalent. This lack of preparation makes Family Offices an easier target when compared to other institutions or businesses. However, looking at wealth alone as a predictor of cyberattack threats is myopic. Family Offices face complex cybersecurity challenges because of these six differentiating factors:

1) Informal governance structure – While Family Offices as institutions have been around for over a century, structurally these entities usually have operated with a flat managerial style with few strict rules dictating day-to-day operations. There are exceptions to this trend, for example, when one examines institutional-level Family Offices (net worth $10 billion-plus). However, even some of the wealthiest and best-staffed Family Offices lack formalized daily governance. This is in juxtaposition to often well-established corporate governance guidelines seen in the companies that generated the wealth for the principal. As a result, comprehensive rules and regular training on information security best practices are often haphazardly applied, leading to potential vulnerabilities.

2) Efficient service vs. effective security – In addition to investment management responsibilities, many Family Offices are charged with handling the administrative concerns of the family. Some of those ancillary functions include setting up family meetings, paying bills, arranging travel, and select concierge duties. Principals expect that the professionals in a Family Office are available to work odd hours and respond to task requests as soon as possible. Often, this culture creates a potential for careless mistakes in information security practices and the avoidance of cybersecurity measures if they are deemed to impede response time to the request from the family.

3) Underinvestment in critical information technology systems – While the corporations that often create the wealth for a family are well-equipped with information technology staff and updated technology, the Family Office is often deprived of the same treatment because they typically operate as separate corporate entities in locations convenient for the principal and/or access to capital markets.

4) Heavy reliance on small staff with outsized access to critical data – Rarely do single Family Offices employ more than 10 staff members on a full-time basis because of operating cost concerns. This creates a problem in that this small group of staff members has access to amounts of data that would normally be compartmentalized in a larger organization. Therefore, if there is a breach at the Family Office level, the repercussions can be very serious.

5) Security risk from external vendors and partners – The significant risks posed by the supply chains of a business are well-documented and have recently come to the attention of financial regulators as a potentially dangerous security vulnerability. Supply chain risks show organizations are only as secure as the weakest link in their vendors, suppliers, and other miscellaneous third parties with which they interact. For example, a major U.S. retailer fell victim to a hacking event, in which 50million-plus customer credit card accounts were compromised through a third-party vendor. With a lean staff without proper IT resources and the sometimes cavalier approach to information security by Family Offices, supply chain risks become more amplified for Family Offices.

6) Fame and publicity – Prominence often accompanies significant wealth and wealth creation. This attention, whether desired or avoided, could make the Family Office a target. Many single Family Offices are notoriously private and do what they can to stay off the radar, attempting to anonymize and protect the underlying family they serve by choosing generic names and separate LLC entities. Despite these efforts, wealthy individuals can be easily identified making them potentially lucrative targets for cyber criminals.

Do Family Offices have experts they retain (outside their law firm or IR firm) to proactively game-plan and conduct table-top exercises to mitigate risk?

Yes, as I mentioned previously, this is a growing field with new players emerging. Cyber technology vendors and security firms/consultancies will find that Family Offices will be interested in keeping informed on cyber threats and on effective cybersecurity solutions.