Taking on the Challenge of Cybersecurity

Family offices cite cybersecurity as one of their key challenges. Bobby Stover, EY Americas family enterprise and family office leader, explains why it’s such a difficult issue and what family offices can do:

What makes cybersecurity a challenge in today’s environment?

You have to look at three pillars:

First, we’re in a digital world now: Everything you own, from a financial perspective, that is of value is in that digital world. People don’t have stock certificates sitting in a safe anymore. The amount of data that’s out there digitally is voluminous, and all the financial data is now digital. People are more exposed because it is digital – criminals don’t have to get inside a physical location to get it.

- Advertisement -

Second, unlike an office that’s locked with a file cabinet, the number of entry points is voluminous. The average household has 25 internet-connected devices. In a family office, what you would generally find is that the office — the physical location where the work is done for the family — is probably pretty secure. Then you have everybody touching it with email and texts. Tons of digital data is coming in and out of that environment.

Finally, tons of studies tell us that the human brain is wired to find the path of least resistance, the least amount of work. We say, ‘I hate dual encryption — I just want to click and go.’ There are a lot of things built in for security that we all kind of switch off because we want to move at a faster pace, and we’re human and it annoys us.

How do you see family offices approaching cybersecurity?

The family office world is split into two groups: Some families just do investing or accounting through their family office — they aren’t building homes or paying bills. A lot of those offices are pretty secure, because they don’t have as many points of entry.

Then you have full-service offices that have trust companies, accounting, finance, bill pay, construction, aircraft, boats. Those have a very different level of complexity: the number of systems, the number of people.

Why don’t more family offices have robust cybersecurity programs in place?

Employing a chief information security officer (CISO) and providing constant monitoring and protection from threats can be a $300,000- to $500,000-per-year exercise. The reason this hasn’t been adopted by the market is that when a family gets breached, it’s not public. So other families wonder, What am I paying for? What am I protecting against? They don’t understand the value of those increased costs. A lot of other types of organizations have to report when this happens, so their boards know it’s their responsibility.

How should family office leaders think about cyber risks?

Family offices need to think about an enterprise risk framework that helps you detect, respond and recover. Most people are focused on the ‘protect’ bucket. But the way to recover is to say, ‘I’m going to assume I’m going to get breached, so what do I do to identify, respond and recover?’

The true way to recover is to have a true CISO that is monitoring and anticipating. When you’re going to have transactions that are highly critical or large dollar amounts, create awareness: If we slow down, we have less chance of a mistake or a breach.

People are trying to figure out how to navigate the breach when it happens. It’s better to have an overview of: once you identify a threat, how do you respond and recover? Use a tabletop exercise where you gamify it: It’s 5 p.m, somebody sent a wire, how can we see if it’s fraudulent? Or: We have an email coming in saying a family member is in the Caribbean and has been kidnapped. They probably weren’t really kidnapped, but do we know how to check? Or: Somebody has locked down our server. Do we pay ransom?

Preparation and education are key. Family offices have to continue education on cybersecurity. How do we get the people that aren’t security people to think about and care about this?

On the education piece, there’s ongoing education, and then there’s education ahead of highly critical events. Get educated before a really important transaction: The deal guys are going to want to move fast and get the deal done, but remember that the callback on the phone matters. We want it to be a good transaction.

What is the importance of data construction in cybersecurity?

The way data used to be constructed — think of a file room or an old on-prem server — generally there were passwords and other protections, but everything was in one place. Noncritical data and highly critical data were all in one place.

A lot of folks, just because we went from file cabinets to server rooms to the cloud, haven’t really looked at their data construction. But data construction and data management are now a key part of cybersecurity.

What is a good strategy for organizing data and protecting the most sensitive data?

We need to separate highly critical, critical and noncritical data. It causes more work to think about where things are, but hopefully the controls for highly critical data, which isn’t touched as often, don’t expose it as much.

Every organization has inherent risk. Do an assessment of what the organization really cares about. Do I really care if everybody found out about the family retreat in Palm Desert? I might, because that could pose a security threat.

How can preparing for a specific event be helpful, given how many possible issues there are?

There are too many scenarios to consider all of them, but think about first, What’s the probability of the event? And second, What’s the loss if the event happens? If it’s a remote probability but a substantial loss, maybe you create a procedure to prevent or handle it. If it’s a low-loss event, even if high probability, maybe it’s not worth spending time on. All this has to be quantified by the family office.

These preparations for a specific event can also help build as a framework for how to communicate and operationalize. If a scenario comes up that you didn’t plan for, you’ve now got muscle memory on protocols that can be built quickly for the new event.

About the Author

Margaret Steen

Margaret Steen is the editor of FO Pro, The Family Office Professional. Based in Silicon Valley, she has written for Family Business Magazine for more than 15 years.


Related Articles

FAMILY OFFICE + FAMILY BUSINESS

Sign up for FO PRO: The Family Office Professional. FO PRO connects family office leadership with the family.