A Guide to Protecting Your Family Office from a Cyber Breach

In the messy aftermath of the massive Equifax breach, which exposed the private information of nearly half of all American adults, many concerned family offices have inquired about what to do next to protect data security. And for good reason: criminals target and obtain wealthy individuals' information in order to open high-limit credit cards, borrow directly from banks or hack into the target’s email for nefarious purposes.

That’s why we see an even greater need for family offices to systemically review their management of sensitive information and ensure that standard protections are in place. Because there is no one-size-fits-all fix—even with a cyber liability insurance policy in place—we believe peace of mind is best accomplished through a multi-pronged approach that incorporates education, risk mitigation and a judicious mix of coverage.

Step one is to ensure that all family office staff and family members are trained to avoid clicking on so-called phishing emails (a.k.a. scams) that infect computers with malware or link to a page designed to steal private data. While this sounds simple, even the savviest fall prey. After all, phishing emails were responsible for the hacks at the Democratic National Convention and Sony Pictures, and a Gmail scam was so sophisticated that it fooled techies. Accordingly, Crystal Private Client suggests hiring a reputable, white glove security firm to conduct a full review of both the family office staffs’ and family members’ devices and accounts, including social media networks. The best firms also provide in-depth training to any individuals who repeatedly engage with potentially harmful emails, and run educational sessions for the entire family. They’ll even make it fun for the know-it-all 8-14-year-olds, who are almost certainly not as careful as they should be.

Meanwhile, family offices should update their own security processes. Regularly scheduled software reviews by an IT expert are, of course, a minimum requirement. Equally important, and sometimes overlooked, is instituting a process for the movement of cash. Currently, the best practices include creating a pre-established list of employees authorized to transfer funds or initiate payments, and implementing client identification methods. A callback confirmation provision, which is akin to the protocol typically employed by financial institutions, is one example. We’ve seen many cyber criminals use a family member’s hacked email account to send a fraudulent money wire request, and without a verification process that transaction is likely to go through.

Formalizing protocol for voice and electronic transfer requests is essential, as insurance companies will require detailed explanations of these actions before issuing fidelity bonds and newer social engineering fraud coverage—both crucial. The fidelity bonds cover losses—property or financial—incurred through fraud, forgery and employee dishonesty. Social engineering fraud coverage is now considered a standard element in any private insurance policy and is specifically oriented to mass or targeted email hacking schemes. Although you might expect otherwise, these thefts are usually not covered by cyber policies.

Family offices should still consider obtaining a cyber liability policy because it provides customized assistance should a hacker steal data or hold it hostage for ransom.  A breach coach, usually a law or forensic accounting firm, move quickly to a) identify what happened; b) assess the impact to the server; c) restore or repair the network; and d) do what is required to make future attacks unlikely. Without such a policy, family office officials are left to find their own experts and answers, which is not easily done nor an ideal circumstance during a crisis.

Unfortunately, those policies won’t protect the office, or family members, should the breach happen to a third party like Equifax. These companies generally have their own cyber policies and are prepared to notify those impacted, but these services were significantly overtaxed and thus unresponsive after the Equifax news. Because high-wealth (and especially high-profile) individuals often need to take immediate action, family offices should also consider obtaining identify theft coverage for each family member. Personal Insurance carriers offer a range of coverage as a supplement to homeowner’s insurance policies. Coverage features range from data restoration, cyber extortion, cyber bullying to crisis management and reputation restoration with a variety of coverage limits available. This specialty coverage can also include credit monitoring and credit freezing if—or more likely when—the next major breach happens.

Contact Us