How Family Offices Can Avoid Cyber-Intrusions

More of China’s very wealthy – many of them self-made billionaires – are starting family offices as they chart their succession plans to pass on their accumulated assets to their offspring amid increasing uncertainty in the country’s financial market.

Spurred in part by the mainland stock market meltdown in 2016, the number of people with high net-worth wealth in the Chinese mainland has jumped dramatically, Many of them have opened family offices in Hong Kong over the past 12 months, data from UBS indicate, with average assets under management of US$341.7 million in 2017. 

The idea of managing family wealth – first used for managing royal or aristocratic wealth – has been around for centuries, but the modern concept of the family office developed in the 19th century United States. In 1838, the family of financier and art collector J.P. Morgan founded the House of Morgan to manage the family assets. In 1882, the Rockefellers founded their own family office, which is still in existence and provides services to other families.

Although each family office is unique to some extent and varies with the individual needs and objectives of the family, it can be characterized as a family-owned organization that manages private wealth and other family affairs.

Over the years, various types of family offices have emerged. The most prominent ones are the single-family office (SFO) and the multifamily office (MFO), but there are also embedded family offices (EFOs) linked to the family business, where there is a low level of separation between the family and its assets.

The SFOs and MFOs are distinct legal entities and manage assets that are completely separated from the family or the family business.

With the progressive growth of the family tree — owing to the birth of children and grandchildren and the addition of in-laws — and an increase in the complexity of the family’s asset base, families usually professionalize their private wealth management by setting up SFOs.

As subsequent generations evolve, and branches of the family become more independent of each other, investment activities within the original SFO activities become separated. This is the cornerstone for the emergence of an MFO. Sometimes these offices open up their services to a few non-related families.

Cyber threats and cyber security

The growing number and wealth of family offices in Hong Kong has made them an increasingly attractive target for cybercriminals. Cyber security regularly grabs headlines around the world and family offices containing sensitive data are not immune to the threat from international hackers. Most SFO operations do not have the full suite of cyber security protection at work like corporates, while MFOs – with their more diverse portfolios - - can become increasingly enticing targets for hackers.

The Numbers Game

.71% of GDP in East Asia & Pacific is lost to cybercrime - The Center for Strategic and International Studies partnered with McAfee and costs the world almost $600 billion, or 0.8 percent of global GDP. They released these figures in 2014:

• Worldwide losses from cybercrimes ranged from $375 billion to $575 billion.
• The average cost of cybercrime in 2015 was $15 million, which rose from $12.7 million in 2014.
• The costs per company ranged from $1.9 million to $65 million.

While there has been a rise among insurance companies offering cyber insurance premiums have also increased exponentially from $2.75 billion in 2015 to $3.25 billion in 2016.

According to the 2018 Identity Fraud: Fraud Enters a New Era of Complexity study from Javelin Strategy & Research, in 2017, there were 16.7 million victims of identity fraud in the US. Due to the introduction of microchip equipped credit cards, for the first time, more social Security numbers instead of credit card numbers, were exposed and hackers open a new financial account using stolen identity information. According to the Javelin study, new account fraud tripled in 2017 from 2016, with losses totalling $5.1 billion.

While most family offices rely upon the standard tools, such as anti-virus software and dual factor authentication, they do not have the time or resources to engage in broader protection such as network penetration testing, testing of business continuity planning, disaster recovery or home and personal security assessments.

There is no data on the percentage or dollars lost but anecdotally, I have known clients lose (due to hacking of client networks, email and communications; then following a specific family member to learn habits, travel schedule, banking contacts, modes and methods of communication) millions in a fraudulent transfer of funds, ranging from amounts as small as US$20,000 up to US$1 million.

Recent hacking of major corporations, financial institutions and governmental entities shows criminals are after personal data as well as money. Families should be concerned about potential cyber intrusions for three core concerns:

1.    Theft. Someone might access bank, credit, investment or other financial accounts. Their money may be at risk through phishing attacks, automatic teller machine (ATM) fraud.

2.    Privacy. Hackers may harm the family reputation (or its business) by revealing details about the family wealth, while thieves may use information to plan a robbery or kidnapping.

3.    Malice. Just as vandals might spray-paint graffiti on a building, hackers may access data or websites just to delete or destroy data, or perhaps to redirect users to a different website. This may cost the family privacy, in addition to the cost of repairing the websites.

Cyber protection

Written Cyber Policy & Technology Inventory As part of the maintenance, the office should ensure that software of operating systems, programs and browsers are kept up to date, routers and devices have no breaches. Families rarely impose penalties for violating these policies, but by writing them down, communicating them and providing education, the family understands and thinks about their behaviour. For example, the connected-device policy describes where and how the family wants family members to connect to the internet. Some families ban the use of public Wi-Fi, requiring that members use the data plan on their cell phones instead. Other families permit the use of public Wi-Fi, but require use of virtual private network (VPN) tools to protect privacy. Some families set a policy that home routers are non-discoverable, or such that someone cannot see the Wi-Fi in a list of available connections.

Cybersecurity insurance policy If the family office oversees family businesses, blog sites or foundations with websites, they should consider cybersecurity insurance. Such policies can cover liability for loss of data, such as client personal data or credit card details; remediation costs, such as investigation, notification and repairs; and settlement costs, such as client-monitoring services, payments or regulatory fines. Cyber insurance typically gives the family office access to the right experts in times of crisis to help identify and resolve the problems.

Identity protection Despite all of the best efforts, there remains a risk that a family member’s identity could be stolen. This may be by an employee of an organization where the member used a credit card, or perhaps the family member was one of many targeted by professional thieves based on a magazine article or other public information. There are many firms that will monitor any new account openings, credit requests and similar activity. If someone’s identity is stolen, these firms are experienced in helping the person recover from such theft. Many family offices provide such services for each family member.

Digital cornerstone

The digitally interconnected nature of our society extends throughout the range of human activities, spanning social communication, family member interaction, business networking, education, financial transactions, medical care and travel. Moreover, these information exchanges are now proliferating across mobile networks, and highly private information is managed and moved across the internet by a diverse cast of characters (banks, telecommunications companies, media conglomerates, technology firms, etc.).

Protecting the privacy and confidentiality of not only the financial and wealth management decisions but also the personal information, goals and preferences of the underlying family are of utmost importance. Establishing privacy and cyber security controls that proactively mitigate risks related to cyber attacks and implement incident response playbooks that help families plan ahead in the event of a breach.

Maren Schweizer

Chief Executive Officer

Schweizer World