Protecting family information and assets from outside attacks is a key security concern for family offices. But it’s also important to protect against possible harm from insiders.
A risk management survey by law firm Dentons, ”The Evolving Risk Landscape for Family Offices,” emphasized the importance assessing and protecting against insider threats.
“Insider threats are, basically, anyone that has access to protected information,” says Edward V. Marshall, global head of family office for Dentons. “Those could be family members, people who work in the family office, vendors, suppliers, others that have access to information or access to the physical space.”
Insider threats can be physical as well as digital — and they do not always come from criminals who planned to do harm. They can be accidental, such as a family member who falls victim to a phishing attack or an employee who forgets to lock an office building.
“An insider threat does not have to be somebody with malicious intent,” Marshall says.
Among the findings from the Dentons study:
- The percentage of family offices that periodically reassess the security profile of employees has risen, from 19% in 2020 to 37% now.
- Just over half — 54% — of family offices say all staff participate in risk mitigation and security training, and of those, 59% do so annually.
- Family members are viewed as the biggest source of reputational risk, cited by 36% of respondents.
- Inadequate staff knowledge due to lack of ongoing professional development for family office staff poses a risk, according to 28% of respondents.
Marshall says family offices should consider ongoing programs to protect against insider threats.
“When you think about the outsize access that a family office employee has, thinking through periodic reassessments of those individuals — while maintaining everyone’s privacy, while maintaining a good operating culture within a family office — is very doable. But it’s just something that’s not done widely in the family office world,” Marshall says. “Checks could include redoing background checks or looking a social media policies and other kinds of policies that you typically would see in a larger corporation. What somebody may think is not malicious could be dangerous to the family offices in terms of exposing their privacy.”