In conversation with Gareth Cocks, CEO of Mirador Solutions, our UK Director, Robert Moore, discusses cyberattacks, and the risks to family offices.

Are cyberattacks a real concern for family offices?

Absolutely, and we can expect to see the threat profile increase considerably over the course of the next few years.

Cyber terrorists, or bad actors, are becoming more sophisticated in their efforts and will actively seek to expose vulnerabilities in a target's infrastructure, stealing data, disrupting operations, or steering proceeds away from their intended destination. The attacker's aim is financial gain!

The concern for family offices is that with the increasing cybersecurity budgets of large investment managers, wealth managers and other financial services institutions, bad actors see family offices as a potential target on the perception that their systems and controls may be inferior to larger financial services businesses.

What are the main risks associated with an attack?

I would say the top three risks are:

  • Financial risk, where money is diverted to a cyber terrorist instead of the intended destination. The greater the perceived financial gain from malicious exploitation, and the greater the ease of exploitation, the greater the risk profile. The potential rewards for a well organised cyberattack on a family office are significant with the ability to divert large sums of money.
  • Operational or business risk. A bad actor could disrupt a family office from being able to operate their business in the way they require. A good example of this could be through a distributed denial-of-service or DDoS attack, where a cyberattack restricts access to a critical system or set of data. The cyber terrorist then holds the target organisation to ransom in order for access to be returned.
  • Lastly, I would say sensitive data risk which is particularly relevant to a family office. This is where a terrorist steals data, either to sell on the dark web for monetary gain, or so they can blackmail or threaten the organisation to expose that data in a way which they may not want the public to be aware of.

Do you have clients who have experienced a cyberattack and how do you go about resolving the problem?

No family office that we have worked with has ever publicly admitted a cyberattack, but we would not expect them to make any attacks public due to the potential reputational damage.

We always focus on education and proactivity with our clients, building their primary defence against a cyberattack. Frequent training and development on what to look for in a potential cyberattack situation, combined with planning for an incident to take place are the cornerstone of good defence.

However, if a client had a cyberattack, then we would recommend that they follow their major security incident management process. This should be a well versed and practised set of steps and actions that they take in the event of an incident.

At a minimum, an organisation that has been the victim of a cybercrime needs to ensure that they isolate any compromised device or devices, bring in a forensic organisation that focuses on cybercrime and contact the relevant authorities.

The best outcome any organisation can expect to have from a cyberattack is to ensure they learn the lessons and focus on implementing the remedial actions needed to prevent it from happening again. Just because an organisation has been a victim of a cyberattack it does not mean that it will not happen again. Training for staff and leadership on what to look for when it comes to phishing, social engineering or malware is fundamental. Where possible, family offices should look to align themselves with an industry recognised framework like ISO, NIST or Cyber Essentials.

What are the best ways to mitigate potential cyberattacks in the family office?

The best way to mitigate against a cyberattack is to plan to be a victim of an attack, assess the risk and build an appropriate cyber incident management plan which is a well-defined set of processes and procedures that you follow in the event of a cyberattack.

As alluded to earlier, we would typically advise our clients to select technology partners who align with the NIST or ISO frameworks. These frameworks focus on the technical security controls that need to be implemented but they also ensure that a provider has the processes and procedures to respond to a cyberattack including isolating compromised assets and implementing resilience protocols in the IT infrastructure.

Families must also ensure they have access to specialist forensic teams that can come in and help analyse the situation once it has happened to help ensure preventative measures are in place to stop it happening again and the right technology partners supporting their business i.e. those who understand how to protect their clients with appropriate cyber controls.

Lastly, a client must manage their third-party cyber-risk; where a client's data resides outside of their own IT infrastructure with a third party, a client must ensure that they are carrying out due diligence on those third parties in the same way they would do if it was their own IT infrastructure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.