Mitigating Cyber Risks in Family Offices for Long-Term Security

Cybersecurity is important for all family offices, but especially those whose clients are often high-profile individuals whose notoriety and wealth require protection.

While family office leaders don’t need to delve into nitty gritty details of checkpoint intrusion prevention or firewall protocols, they typically hold primary responsibility for the adoption and oversight of strong cybersecurity systems. “Strong cyber systems are an essential component of family office practices,” says Mary Timmons, Chief Operating Officer of Global Family and Private Investment Office Services at Northern Trust. “Protecting families’ assets, along with their privacy, is job number one.”

Whether relying on outsourced or in-house security providers for implementation and day-to-day oversight of cyber risks, family office leaders should keep the following issues top of mind: endpoint protection, network security and identity security.

1. Endpoint protection

Family members’ and family office teams’ devices—including computers, tablets and mobile phones—can be points of entry for bad actors if they’re not properly secured. Securing these endpoint devices has become increasingly important amid the rise of hybrid and remote work.

A strong cybersecurity plan, created in consultation with an experienced partner includes a comprehensive approach to endpoint protection, with elements including:

• software designed to prevent breaches
• solutions to detect and respond to any breaches that do occur
• systems for proactively investigating and mitigating cyber threats, including behavior analytics for anomalous behavior

2. Network security

Network security includes monitoring the integrity of wireless networks and servers, in addition to endpoints. Family office leaders should ensure their IT providers are keeping their network secure, including an always-on scan for vulnerabilities combined with applications of corresponding software patches and updates. In addition, IT providers should be able to explain any vulnerabilities in the system, as well as how those vulnerabilities are monitored and addressed.

These preventative measures should be accompanied by a robust disaster recovery and business continuity plan (BCP) detailing the steps to be taken should a breach occur. As a best practice, the BCP should be written into the IT provider’s contract, along with language that obligates the IT provider to restore service within a certain period. This contractual approach formalizes the agreement and ensures the IT provider will have data backups and other measures in place to respond swiftly to any incidents that arise.

3. Identity protection

Family offices may have stakeholders ranging from TikTok-obsessed teens to tech-averse octogenarians, with a corresponding spectrum of cyber hygiene habits. As a result, family office leaders must work with their IT providers to approach identity security comprehensively, preventing cyber criminals from stealing credentials or otherwise gaining access to protected assets and data. This process typically involves engaging third parties to provide training and education for family office principals, whether on a one-time or ongoing basis. Family offices should follow a similar process for phishing exercises, engaging a third party to conduct them, analyze the results and provide recommendations for next steps.

Protecting what matters

Given the complexity of protecting a family’s data and assets, family offices should consider aligning with the National Institute of Standards and Technology (NIST) cybersecurity framework. In addition to guiding the family office in measuring and mitigating risk, the NIST framework provides a common lexicon for security conversations with regulators and financial institutions.

Cybersecurity is a dynamic, continuous process. By identifying rigorous and trusted IT providers and vendors who can assess, maintain, and mitigate security risks, family offices can ensure that their clients’ wealth and privacy are secure.