Family Office Cybersecurity Tips

Modern family offices have transitioned away from paper records towards digital record keeping using secure e-mail and cloud storage. The result is increased workflow efficiency and the ease of sharing information with professional advisors. But, the transition to online communication and cloud storage also means family offices need to manage the associated cybersecurity risks carefully.

This post describes which cybersecurity risks your family office should be considering and the strategies used to mitigate them.

The Most Important Cybersecurity Risk – Identity Theft

Identity theft is the unauthorized use of another person’s personal information, such as their name, Social Security number, credit card number, or other identifying information, to commit fraud or other crimes.

Identity theft can result in the hackers opening credit card accounts, taking out loans, or making purchases in the victim’s name. It can also include using the victim’s personal information to access their bank accounts or other financial accounts.

Consequences of Identity Theft

The financial consequences of identity theft are obvious. But, what might be even more costly to victims are the emotional, social, and sometimes physical consequences.

Identity fraud is emotionally traumatic. The resulting anger and anxiety may linger in the victim’s mind long after the attack and can leave them with a sense of insecurity and even prevent them from trusting others as they may have before the attack.

Additionally, the time it takes to resolve fraud issues with banks, government, and other service providers is very time consuming and cannot necessarily be outsourced.

Furthermore, when your address and routine is exposed, it may also leave you vulnerable to physical harm. So, the need to guard against identity theft resulting from a cybersecurity breach is critical.

Secondary Cybersecurity Risks – Un-authorized Transactions

Following identity theft, payments made from your bank or brokerage account without your authorization is an important secondary cybersecurity risk. As a high net worth investor, the amount of cash and capital in your bank and brokerage accounts is large.

So, high-net work investors need to be especially diligent when guarding against un-authorized transactions from these accounts.

Cybersecurity Audit Checklist

Here is a list of 13 ways that your family office can protect you from cybersecurity threats:

1. Use Document Storage – transition to cloud-based document storage and then manage access to those folders. Instead of sending documents that contain personal information via e-mail attachment, grant access to specific cloud-based folders that contain the information. Do not store digital information on your local machine and request the same of your service providers. Use cloud based end-to-end encryption whenever practical.
2. Use Secure Communication – do not send un-encrypted documents as e-mail attachments. Consider using an end-to-end encrypted e-mail service.
3. Update Your Payment Process – create a process to make payments, and then share and document this process internally and with your bankers. Do not rely on any single person to authorize payments.
4. Guard Against Phishing – communicate the dangers of phishing to family office staff and clients. Take time to train seniors specifically.
5. Prevent Investment Fraud – Many private equity and venture capital funds require personal information from investors to comply with various regulations during the investment application process. Many of these funds, especially smaller ones, will also ask investors to submit PDF documents with personal information as part of the investment application process. This is a significant cybersecurity risk. Oftentimes, many smaller (emerging) private equity and venture capital funds do not have explicit privacy policies or data protection procedures in place. Whenever possible, use services like DocuSign to sign documents and then encrypt PDFs before sending via e-mail attachment. Then, the next biggest risk to family offices investing in private equity and venture capital funds is investment fraud by the investee (Ponzi risk). To manage this risk, require the investee to submit audited financials (or at least a note from a reputable accounting that may be verified) and provide quarterly reports of progress to investors.
6. Credit Score Monitoring – if you’ve not done so already, subscribe to and then periodically monitor your credit score and credit report. Your family office should encourage each family member to do this.
7. Password Storing and Retrieval – create a secure process to store and retrieve passwords. This could involve using a password storage program or an encrypted file within a cloud storage drive. Oh, and update/change passwords regularly! (choose random passwords, not intuitive words/phrases/codes)
8. Refine Your Reporting Process – your family office should be providing you with regular reports of your financial affairs. This requires your family office to collect and store information from your investment accounts and assets/liability accounts. This information can then be examined, and the reports provided to you can be used to track any potential un-authorized activity. Regular reporting is an easy way to prevent most frauds by making information accessible and transparent.
9. Use Private Banking – private banking is a good way to prevent most un-authorized payments from leaving your account. Having a human who knows who you are compared to a computer system who may not be able to personally identify you is still a useful way to prevent many identity thefts and un-authorized transactions from your accounts.
10. Simplify Your Financial Life – if your financial life is complex, it is easier for certain types of fraud to go un-noticed. The simpler your financial life is, the easier it is to identify fraud/theft.
11. Perform a Software Audit – perform and audit of software being used to conduct family office operations. This could mean transitioning to cloud-based applications whenever possible and limiting the use of desktop applications. Doing so ensures security vulnerabilities are patched by the software vendor in real-time. Examples include using Quickbooks Online instead of Quickbooks desktop. Or, using DocuSign (which can be converted into encrypted PDF) instead of e-mailing scanned copies of signed documents unencrypted.
12. Use Two-factor Verification – most banks, brokerages, and investment fund portals ask you for two factor identification. Create a process to manage these credentials and use them.
13. Maintain Backups – once you’ve transitioned to cloud based storage. Maintain a system to back-up and store this information (such as on an external drive in a secure/alternative location).
14. Review Social Media – scrub your social media of personal information. This includes your accounts on popular platforms such as Linkedin, Facebook, Instagram, and TikTok.
15. Maintain Strong Relationships – why does Walmart use greeters? Because having a small personal connection with customers helps prevent theft. This is also the reason why the convenience store clerk may welcome you when entering the store. So, work hard to maintain a trusting relationship with your family office staff because their loyalty is critical to your cybersecurity. Train your staff about key cybersecurity risks.

You’re only as strong as your weakest link

After you’ve taken all the basic steps toward cybersecurity described in this post, you may be just as vulnerable as before. Why? Because once a document or piece of data leaves the purview of your family office, your cybersecurity defences are only as good as the service providers you’re working with.

If your accountant, a private equity fund you’ve invested in, or a careless family member shares information in a semi-secure way, then it really doesn’t matter what other protections you’ve taken. Its easy for information to leak out.

Here are some practical questions a client asked our family office that might shed light on cybersecurity:

Should we be using an end-to-end encrypted e-mail service like Proton Mail instead of Gmail?

Probably, but it may not be worth the trouble of transitioning and giving up the features associated with Gmail hosting. The risk of an attack from a hacker breaking through Gmail or Google Drive is not zero, but its also not the biggest cybersecurity threat facing family offices. A more pressing threat is how family members are responding to phishing, and how information is shared with 3^rd parties. Most hacks are socially engineered, not digital.

Also, how is your family office preventing investment fraud by private equity funds or venture capital funds? Put into context, the risk of investment fraud is much greater (and financially impactful) than the risk of an e-mail hack.

Should we be storing documents using end-to-end encrypted document storage?

Which document storage provider to choose should not be your biggest concern. Cloud storage providers are in the business of securing your data. Use a reputable provider such as Google Drive or One Drive, they operate in a similar fashion and are trusted by large corporations and other organizations storing sensitive information.

More importantly, your personal information in the hands of 3^rd parties without privacy policies/procedures are far more vulnerable. This is particularly true of most private equity and venture capital funds. In these cases, a better way to prevent identity theft or financial fraud is to demand a privacy policy and the details of the data security process used by your investees and to also require audited financial statements from your investees.

Let’s assume our cloud storage is accessed and the contents are made public. What are the consequences?

Well, it might be easy for anyone to know you’re wealthy and this information could be sold online. Being wealthy might not come as a surprise to anyone who already knows you, but it may help fraudsters target you in the future.

The value of the securities held in your brokerage account is not at risk. As anyone who has tried making a transfer from their brokerage account knows, there are many layers of security in place to prevent un-authorized transfers. But, as mentioned in this post, a good monitoring and reporting process is critical.

The bottom line with cybersecurity, like many other aspects of wealth management is to make simplicity one of your main financial goals. Doing so will bring you many different benefits including ease of management, a feeling of greater control and peace of mind, less cybersecurity risks, and lower costs.

Our family office can provide you with an audit of your cybersecurity. We will identify the main threats you face and provide you with strategies to help mitigate them. Please contact us for more information.